A “New Deal” Between Governments and Tech Companies?

Robert Hannigan, the new Director of one of the UK’s intelligence agencies, GCHQ (Government Communications Headquarters), has taken over at a time when the agency is facing scrutiny on an unprecedented scale in its 100-year history.

GCHQ has been directly implicated in bulk data collection practices and data sharing with other intelligence agencies worldwide, sparking parliamentary debate, an inquiry into UK surveillance practices, a review of the UK’s surveillance regulatory framework, and a case at the European Court of Human Rights.

It therefore came as a surprise to some when Hannigan’s first public remarks since becoming Director in an article in the Financial Times openly criticised technology companies for being “in denial” about the damage their practices cause when terrorists use their services. Hannigan contends that technology companies “have become the command-and-control networks of choice for terrorists and criminals” and his article calls for “greater support” from the private sector, in particular from US web-based companies who in his view need to “[come] up with better arrangements for facilitating lawful investigation by security and law enforcement agencies than we have now.”

There is no doubt that terrorist groups like ISIS, the extremist army which has unleashed a reign of terror in Syria and Iraq, have embraced the web to promote their beliefs, to intimidate people, and to radicalise and recruit disaffected youth. ISIS is a tech savvy group, using tricks such as “hashtag hijacking” to infiltrate social media conversations by using popular hashtags to spread threats, which are then seen by millions of people.

Such developments pose significant challenges for tech companies. Community rules and standards clearly need to be in place to ensure that material that is designed to incite violence, threaten or intimidate is tackled immediately. There are many types of expression on the Internet that must be combated such as women being threatened with rape, or homophobic or racist comments. Terrorist organisations and other illicit groups are serious online threats. But Hannigan’s article makes no reference to how such threats should be tackled, including through online counter-speech initiatives, through de-radicalisation efforts in the real world, or recognising what companies already do, such as Twitter and YouTube removing beheading videos posted by ISIS and blocking accounts of known terrorists.

Hannigan’s main concerns instead appear to be focused on encryption and anonymity. He says these techniques, once “the preserve of the most sophisticated criminals or nation states now come as standard.” But the fact is that encryption should be standard because of the increasing amount of legitimate activities people now conduct over the Internet that involve personal information, such as banking, buying and selling goods, filing tax returns, and so on. Encryption is important to keep our data safe from criminals, and tech companies have a responsibility to keep their users’ details safe.  

Cybercrime is a major problem in the UK. A report by the UK National Audit Office on the UK Cybersecurity Strategy in 2013 estimated the annual cost of cybercrime in the UK was between £18-27 billion. A survey by Get Safe Online reported that over half the people in the UK have been victims of some kind of cybercrime. Encryption is necessary to prevent that.

Yet despite its importance in protecting privacy online, intelligence agencies, including GCHQ, have purposefully tried to weaken encryption. That development has concerned experts who argue that weakening encryption places everyone at risk, even if it is done by an intelligence agency ostensibly for security purposes. Creating vulnerabilities in applications for the purpose of state surveillance can also make it easier for criminals to exploit those loopholes.

Encryption and anonymity often go hand in hand, as encryption tools help keep people anonymous. Internet anonymity offers essential protection for vulnerable people. The UK government’s own website recognises this, stressing that people can remain anonymous when reporting suspected terrorism offenses. Why, then, criticise Internet anonymity?

Hannigan suggests that intelligence services collect, analyse and store our data to protect us and that companies do exactly the same but to make money through advertising. While there are serious concerns regarding how companies collect, amass, share, and trade user data, there is a huge difference between data collection by a commercial service and by an intelligence agency. Users can opt out of using the services of companies like Facebook and Google if they feel uncomfortable with the amount of their data they feel they no longer control. There is no such opt-out provision from government surveillance.

The new GCHQ director has called for “a new deal between democratic governments and the technology companies in the area of protecting our citizens.” But we must first acknowledge the destruction of trust between companies and intelligence agencies that continues. Intelligence agency activity such as infiltrating the links between companies’ servers or capturing information from user webcams  have seriously damaged their relationship with tech companies.

Industry representatives have begun to respond. Mark Stephens, the Chair of the Global Network Initiative (GNI) wrote in the Financial Times that, “ the necessity and proportionality of any intrusion into privacy or free expression must be demonstrated, not simply asserted in a “nanny knows best” way by an unaccountable state.” Julian David, Chief Executive of the industry association techUK said in the Telegraph, “To ensure public confidence, both in the digital economy and our democracy as a whole, any obligations placed upon technology companies must be based upon a clear and transparent legal framework and effective oversight rather than, as suggested, a deal between the industry and government.”

People have the right to demand fairness – from their security agencies and from companies. There must be clear rules and companies and security agencies must be accountable to users and the public at large. Without clarity and transparency, users and the public at large are right to be sceptical about the state’s intentions and justified in expecting tech companies to demand greater clarity from governments, and if not, to resist.