Just Because It's Now Cheaper And Easier To Spy On Everyone All The Time, Doesn't Mean Governments Should Do It
from the Moore's-Law-strikes-again dept
Rick Falkvinge has another of his fascinating posts up on his Web site, but this one's slightly different from his usual insights into the dysfunctional nature of copyright and patents. It concerns some little-known (to me, at least) history of how Sweden went from being a beacon of freedom to a country under comprehensive surveillance.
As Falkvinge explains, things began with what seemed at the time a very minor matter:
the FRA [a Swedish security agency] had used a loophole in the law since 1976 that allowed it (maybe) to wiretap all phonecalls that were routed over satellites, by erecting their own receiver dishes next to the telco ones. This allowed them to receive all the satellite signals, in identical copies to what the intended receiver dish did. The law they used to justify this behavior was one that said that privacy cannot be expected over radio waves, and that anybody may listen to anything sent over radio -- which makes sense with shortwave-type radio amateur equipment, but not necessarily with satellite links: when you pick up the phone, you expect privacy, regardless of the technical route of the phonecall.
The key thing to note here is that there is a distinction being made between the vast majority of phone calls, and the special class of phone calls made over satellites. That meant that this was not a general spying capability, but a very limited one that only affected a class of users. Falkvinge goes on:
Fiber optics in the ground gradually replaced satellites as the preferred method of transmission, and the FRA complained to the administrative departments that it had lost its ability to wiretap, and wanted an amendment to the law that would -- in their own words -- just "compensate for technical developments".
So the logic here is that the security services were beginning to lose a very limited capability for spying on a special class of user. But note what it demanded as a consequence:
What they asked for was a requirement for every owner of fiberoptics crossing the border to send a mandatory realtime traffic copy to the FRA. They demanded to wiretap everybody, all the time, if your phonecall or internet traffic happened to cross one of these checkpoints (which you can’t tell if it does or not).
The key trick employed here was to claim that the change was just to "compensate for technical developments", and that there was some kind of equivalence between the eavesdropping on phone calls via satellites and those made via fiber optics. And it's true that fiber optics largely took over from satellites, but that does not make them equivalent. They are quite different technologies, and spying on one is not the same as spying on the other -- this was not truly about "preserving" a limited spying capability, it was taking advantage of the fact that it was now possible to spy on everyone in the same way, thanks to new technology.
So the FRA went from "using a possible loophole in the law to eavesdrop on satellites" to "demanding exactly everything all the time". This was a little bit more than just an update for technical progress; this was a huge difference in scale and a near-complete abolition of the right to privacy.
Significantly, this is exactly the same argument that the UK government is making with what it calls its "Communications Capabilities Development Programme" (pdf):
Communications data -- information such as who called whom and at what time -- is vital to law enforcement, especially when dealing with organised crime gangs, paedophile rings and terrorist groups. It has played a role in every major Security Service counter-terrorism operation and in 95 per cent of all serious organised crime investigations. Communications data can and is regularly used by the Crown Prosecution Service as evidence in court.
Notice this is couched in terms of "preserving the ability" of security agencies to spy just as they did in the past. In other words, the UK government would have us believe that this is simply preserving the status quo. But as in Sweden, that's not the case here:
But communications technology is changing fast, and criminals and terrorists are increasingly moving away from landline and mobile telephones to communications on the internet, including voice over internet services, like Skype, and instant messaging services. Data from these technologies is not as accessible as data from older communications systems which means the police and Security Service are finding it increasingly hard to investigate very serious criminality and terrorism. We estimate that we are now only able to access some 75% of the total communications data generated in this country, compared with 90% in 2006. Given the pace of technological change, the rate of degradation could increase, making our future capability very uncertain.
That is why, in the Government’s Strategic Defense and Security Review, published in 2010, we said we would "introduce a programme to preserve the ability of the security, intelligence and law enforcement agencies to obtain data and to intercept communications within the appropriate legal framework."
We therefore propose to require internet companies to collect and store certain additional information, like who an individual has contacted and when, which they may not collect at present. The information will show the context -- but not the content -- of communications. So we will have for internet-based communications what we already have for mobile and landline telephone calls.
It's still not entirely clear what the UK government wants to gather -- it has been understandably evasive on this front -- but it would seem to include things like recipients of emails, Skype contacts and addresses of Web sites visited (possibly even full URLs, which will point to very specific content.) But the details don't really matter, because this is actually a question of principle.
The UK government, like the Swedish government before it, is trying to set up a false equivalence between monitoring communications before the Internet became a mass medium, and after. But the intrusiveness of such surveillance before the Internet, and before computing power was available to analyze the data gathered, was limited. Back then, working out the network of contacts of a person of interest could be done, but with effort, and at some cost. This ensured that only the potentially most serious threats were investigated.
But once again, Moore's Law has changed everything. What the UK government wishes to gather would allow the entire social graph of everyone in the UK to be calculated in near real-time. It would mean that their every move online could be watched as it happened, and cross-referenced with their past communications history. As Falkvinge points out in another recent post, what has really changed is not so much the ability to spy, but the cost of doing so.
Today, thanks to our networked lives and the plummeting cost of hardware, national governments can monitor everything we do online for the same outlay as the much more limited surveillance of yesteryear. So what is really being preserved is not some supposedly circumscribed spying capability, but the orders-of-magnitude cost. By keeping that cost constant, governments can increase the scope of their spying hugely.
But just because the technology makes it possible, and the economics makes it feasible, doesn't mean governments ought to go ahead and do it. They may claim that they are simply "compensating for technical developments", but really they are trying to exploit those developments to go way beyond what was agreed before as socially acceptable, and to do so without any consultation on how much online surveillance should be permitted in a free society.
And as to the UK government's argument that "we are now only able to access some 75% of the total communications data generated in this country, compared with 90% in 2006", this conveniently skates over the fact that the quantity of such communications data has probably doubled in that time, since IP traffic is currently growing at around 32% annually: in absolute terms, more data is available than ever. This is not about preserving capabilities in order to stand still, it's about running ever faster into a world of total surveillance.