Abstract
In the wake of the attacks in Paris, how far should governments go to get the balance between national security and personal privacy right? Member of the British House of Lords and internet guru
Martha Lane Fox
When it comes to balancing national security and personal privacy, I believe that your personal data should be your personal data, and that action should be taken based on a case that can be proven, as opposed to looking at everyone in society’s movements and then targeting those who stand out. I am not a fan of the world we seem to be ending up in, and I don’t necessarily believe that it is because of anything malicious. I think it would be better to have a system where your data is your personal property, and there then have to be the same restrictions applied as would be the case if someone wanted to enter your home and go through your belongings or intercept your post.
Martha Lane Fox
Tim Cross
Like fighting terrorism, governments have to “fight” with one hand tied behind their backs, but they cannot fight with both hands tied as some would clearly prefer. Individuals will understandably not want governments interfering with, or prying into, their personal privacy, but no one will thank any government if the banking system or consumer supply chains were to collapse. Monitoring cyberspace now forms a key part of any government responsibilities, and is (or should be) included in any national security strategy.
Tim Cross
Credit: Mark Boardman
This said, if people fear the state is holding too much data on them unnecessarily and (rightly) demand some semblance of control over what happens with that data, then government is the least of their worries. Leaving aside the fact that government resources are scarce, the idea that some government employee is sitting in a room somewhere carefully sifting through everyone’s email is fanciful. Intelligence and law enforcement have to meet certain criteria including necessity, proportionality and justification. This is absolutely the way it should be. But private firms have no such restrictions in place. Government intelligence and law enforcement agencies are rightly burdened by layers of legality, including authorisations, justifications and audit trails, but big corporations, particularly those whose primary public interface is through cyber means, use and exploit personal details for a wide variety of reasons. While these may sometimes include improving their services, more unpalatably they sell details on to third parties. This is absolutely endemic. Many companies will not allow customers to use their service unless they agree to terms and conditions that essentially mean losing control of their personal details and allowing them to be sold on to the highest bidders. The primary concern of business is making money. Not so with governments, whose intelligence and law enforcement agencies are about deterring/catching enemies and protecting the public.
Martha Lane Fox
It is impossible to say whether security is more important than privacy. I think it is largely dependent on circumstance. For example, in times of great national danger, and I would argue that this is not one of those times, there may be trade-offs that are acceptable to make us a community or country. However, ultimately it should not be a choice between security and privacy, or a case that you must choose one. It is, in fact, much more complex and nuanced than that and it depends wildly on circumstance, as well as the individual, timing, and all of the complexity you would expect to accompany that argument.
Tim Cross
The issue is what/whose “security” we are talking about. People’s personal security, physical and electronic, is ultimately an individual responsibility, but even here governments have a role to play in trying to ensure that the correct regulations are in place, and policed, to give them the best chance of keeping/staying safe. Of course, those states that repeatedly stress that security is undoubtedly more important than privacy such as North Korea, Russia, China and various areas of the Middle East get this wrong, but the wider security of community, society and/or a nation does rest with government. Indeed it is supposedly their first priority. Notwithstanding terrorist attacks like the most recent one in Paris, protecting critical national infrastructure against cyber attack, for example, is a key issue for any democratic government.
Martha Lane Fox
I don’t think that the “new” digital age requires the implementation of a different set of rules surrounding privacy and security. The rules should stem from the ethics and morals on which society is based. I believe individuals should have a right to privacy. There is a very pernicious overtone to the argument that: “Oh, I’m not doing anything bad, therefore it doesn’t matter if someone is watching me.” Even if you are semi-conscious of being watched, there is a shift in the relationship between you as an individual and the state. The online world certainly has a greater complexity, and is clearly wildly different, but I do not think it means that we should approach it with an entirely different moral compass to how we would approach other areas.
It shouldn’t be a choice between security and privacy, or a case that you must choose one
Tim Cross
The principles probably remain much the same. It is the practical implementation of those principles that has changed, as it has done over the centuries with the arrival of new technologies. The problem today is that there is so much digital data/information around that monitoring it in an acceptable way is a very difficult trick to get right. There has always been a need for secrecy and a need for an ability to “encroach” on privacy, controlled by proper legal process, in order to protect the public. Exercising that is probably harder today then previously, but the right of personal privacy and freedom from unnecessary state intrusion remains vital. It is one of the lynchpins that separates us from repressive regimes and it must be protected and respected in all but exceptional circumstances. The actual wording of Article 8 (Right to Privacy) of the European Convention on Human Rights is pretty much spot on here.
We are constantly at war. Potential and real enemies are always collecting data and information
Martha Lane Fox
I do think that perhaps different rules apply during times of war. We are very lucky that during the time of the internet’s real growth we have not been in a brutal time of war here in the UK. I am sure you would feel quite differently if you were sitting in the middle of Syria right now, and I would argue that the terrorist threat does not class as a time of extreme war. It is very different to one country descending on another. And I really do find the use of certain language as an escalation of threat, quite unpleasant. So, although I think different rules apply here, I don’t know what they are, and I am unsure as to when those triggers happen, but it is very important to challenge what the real threats are.
Tim Cross
In simple terms, yes, but the distinction between “peace” and “war” is not clear cut. In one very important sense we are constantly at war. Potential and real enemies are always collecting data and information. The reasons may be terrorist or criminal in intent, directed at both individuals and/or businesses, or they may be aiming at, for example, defence assets or critical infrastructure, such as energy/power supplies. These “enemies” have multiplied and become increasingly diverse, and they utilise cyber tools extensively whether working for a state, a group or alone on a political “cause” or just for anarchy and to gain kudos within the online community. Defence, particularly cyber defence, needs to be strong at all times because we are under constant assault.
Martha Lane Fox
I challenge the idea that the use of the internet was not originally predicted as a means of surveillance, and I do so partly because the invention of the internet came out of military investment in technology as a network for defence, a seed which was sown, arguably, at the time of Bletchley Park. So, I think it is slightly more nuanced than surveillance being simply overlooked. I think it wasn’t thought of in the way we understand it now and that is partly because it would have been hard to imagine the proliferation of this technology being so rapid and the power it would have. For that reason I don’t find it surprising that it has gone in directions we perhaps had not imagined.
Tim Cross
The internet was always seen as a surveillance tool by those few who really understood its potential. There is now a much broader understanding of the capabilities, for good and ill, but, the majority probably still do not understand its potential.
Martha Lane Fox
But I think some small percentage of people are aware of their digital security, and a huge majority are not, and I think some people care a great deal about it, and some people don’t care at all, which might be due to a lack of information or even misinformation. What I do believe very strongly is that digital literacy, your ability to have a connection to the internet and to use the internet, is only one part of the greater picture of your life online. Part of it is having an awareness of what happens when you access the internet, about what information Facebook can save, or whether you understand that when you send a WhatsApp message it could be sitting on a server somewhere. We’re not anywhere near being able to equip people of all ages with these skills, which are equally as important as the technical ability to use the web.
Tim Cross
The vast majority have no real understanding of what information they are placing into the “public” domain when they use the various commonly owned electronic/digital devices.
Martha Lane Fox
There are, of course, threats to security from hacking. You only need to look at what happened with the Sony hack recently to understand the scale of what is possible. It’s naïve to imagine that this isn’t a very real and present danger. When democratic governments are elected, some of their key responsibilities are to keep citizens safe and to protect their data, as well as government data. So hacking is a very profound threat, but you are much more likely to be run over by a car than to be involved in a terrorist attack. It is this sense of proportionality which often gets lost.
Tim Cross
Most hacking is relatively unimportant. It nonetheless disrupts individual and business life. Further, hackers are constantly attacking all firms/companies, hunting for private data. Some of these companies put virtually no investment whatsoever into their cyber security, endangering customers by leaving their information open for any savvy (or not so savvy) hacker to get hold of.
Martha Lane Fox
It has been well documented how Islamic State has been using the web, and just as other infrastructures can fuel potentially dangerous groups of people, for example the road networks or airline system, so does the internet. The only difference is that the transfer of information is much more rapid, much more difficult to track, and on a much more global scale. These dangers are not going to disappear, but I believe it is also very important, again, to keep them in proportion as there is a danger that the amplification of what happens online can create a massive amount of misinformation, and this perhaps goes back to the idea of educating people about the potential power of the web. I think there is a really interesting problem around how you teach anyone, not just children, about authenticity. From my readings of the recruitment of terrorist networks, emerges this notion that people in disconnected places connect to people on the internet who feel authentic, who are running a terrorist cell on the other side of the world, and those people perhaps embark on a journey believing they are going to find something at the end of it that is more true to them than the community they are in, which could clearly be very wrong. It’s about balancing what you find online with what happens in the “real” world and I think authenticity is going to become even more important.
You only need to look at what happened with the Sony hack recently to understand the scale of what is possible
Tim Cross
Terrorism is but a tactic. It has been around since Adam was a lad, but its ability to influence both individuals and governments is certainly greater today than before. As in dealing with all threats information is central. Data is collected from any number of sources, human and electronic, and that data is then analysed to produce information. The information is assessed to produce knowledge, which in turn allows decisions to be made. “Intelligence-led” operations almost always produce the best results and that applies to both terrorism and counter-terrorism. So constantly gathering data/information to assess and update potential risks and vulnerabilities is crucial.
Footnotes
Major General (Rtd)
