We've just written about new counter-terrorism
measures announced by the UK Home Secretary. In her speech, she concluded with this clear statement of future intentions
if the Conservatives win a majority in the UK's General Election next year:
I must emphasise that these [new surveillance] powers are limited and they do not mandate the retention of and access to data that would in all cases identify a suspect who has, for example, been accessing servers hosting illegal content. The progress in this Bill is welcome -- but we will still need to return to the Communications Data Bill in the next Parliament.
Of course, that would mean finding some way to win support for an intrusive Communications Data Bill, which provoked such a strong reaction the last time it was discussed. So it's interesting coincidence that the day after that place-marker by the Home Secretary, a new report
(pdf, and embedded below) has been published on a particularly brutal terrorist attack that took place on the streets of London last year
. The report comes from the UK's Intelligence and Security Committee (ISC), which was roundly condemned
by a Parliamentary committee earlier this year for being out of touch and ineffectual. It was asked to examine what lessons could be learned from the failure to stop the attack, given that both the two men convicted of murdering the British soldier Fusilier Rigby were known to the UK intelligence service. Here's a summary of the findings from the press release
The two men appeared, between them, in seven different Agency investigations -- for the most part as low-level Subjects of Interest. There were errors in these operations, where processes were not followed, decisions not recorded, or delays encountered. However we do not consider that any of these errors, taken individually, were significant enough to have made a difference.
We have also considered whether, taken together, these errors may have affected the outcome. We have concluded that, given what the Agencies knew at the time, they were not in a position to prevent the murder of Fusilier Rigby.
That is, despite tracking the two men responsible for the attack several times in earlier investigations, and despite making errors, the Agency -- MI5 -- is absolved of responsibility for what happened. But of course, for such a heinous crime -- the soldier was hacked to death on a public street in broad daylight -- a guilty party must be found. Here's what the ISC came up with:
The one issue which we have learned of which, in our view, could have been decisive only came to light after the attack. This was an online exchange in December 2012 between Adebowale and an extremist overseas, in which Adebowale expressed his intent to murder a soldier in the most graphic and emotive manner. This was highly significant. Had MI5 had access to this exchange at the time, Adebowale would have become a top priority. There is then a significant possibility that MI5 would have been able to prevent the attack.
According to the Guardian, that online exchange took place on Facebook
. The ISC it goes on:
We have examined whether the Agencies could have discovered this intelligence before the attack, had they had cause to do so: it is highly unlikely. What is clear is that the one party which could have made a difference was the company on whose system the exchange took place. However, this company does not regard themselves as under any obligation to ensure that they identify such threats, or to report them to the authorities. We find this unacceptable: however unintentionally, they are providing a safe haven for terrorists.
That "safe haven for terrorists" is, of course, precisely the rhetoric used by other senior intelligence officers, in what looks increasingly like a co-ordinated attack
on Internet companies and the encryption technologies that are increasingly being deployed. The ISC is quite clear what is needed -- more surveillance:
Our Report considers the wider relationship between law enforcement authorities and Communications Service Providers. None of the major US companies we approached proactively monitor and review suspicious content on their systems, largely relying on users to notify them of offensive or suspicious content.
Well, that's because they are communications companies: they provide ways to communicate, just like phone companies or the post system. There's no more reason they should be monitoring every piece of content on their systems than telephone companies should monitor the content of calls, or post offices the content of letters. It's not their job, and would in any case be an extraordinary invasion of privacy.
We also found that none of them regard themselves as compelled to comply with UK warrants obtained under the Regulation of Investigatory Powers Act 2000.
That's probably because they are generally US companies, subject to US law. If the UK were to insist that they complied with UK warrants as if they were UK companies, it will have to be prepared for UK companies providing services abroad to be subject to Russian and Chinese legal demands too. Is that really what it wants? The Commission then goes on to make its drift quite clear:
We note that the Government has already started to take action on these issues, through the Data Retention and Investigatory Powers Act 2014 and the appointment of the Special Envoy on intelligence and law enforcement data sharing. However, the problem is acute: until it is resolved the British public are exposed to a higher level of threat.
That is, far from letting considerations of privacy temper some of the more extreme counter-terrorism measures brought in recently, the ISC is hinting that the UK government should abrogate even more British freedoms -- purely to protect British freedoms, you understand.
That the ISC's report into the attack turns out to be a whitewash is no surprise. Earlier this month, the UK's leading human rights groups decided to boycott another inquiry that it would be conducting, since they had "lost all trust in the committee’s ability to uncover the truth." And just before the ISC report was published, it was claimed that the committee had "failed to speak to witnesses who say the plot's leader was repeatedly contacted by the security services before the attack":
Those making the allegations say they raise concerns about MI5’s conduct and offer a possible explanation of what contributed to his transformation from extremist into terrorist murderer.
Here's what the report says on this potentially crucial matter:
Adebolajo has said he was repeatedly pressed by the security services to turn informant for three years before he and Adebowale murdered Rigby.
In relation to the allegations that MI5 had been trying to recruit Adebolajo as an agent, MI5 has argued that it would be damaging to national security to comment on such allegations. All allegations concerning MI5’s recruitment of agents -- whether true or not -- fall under their ‘Neither Confirm Nor Deny’ (NCND) policy.
How convenient. But it's not the only thing that's convenient in this story. As the above indicates, the existence of messages between one of the killers and an extremist overseas allowed the report to absolve the UK's security services, and blame Facebook. But where exactly did that message come from? According to the Guardian:
David Cameron revealed that the messages only came to light after the attack "as a result of a retrospective review by the company". Sir Malcolm Rifkind, chair of the ISC. said the information was given to GCHQ "by a third party" on a confidential basis.
So who gave that information to GCHQ? The statement above makes it clear it wasn't Facebook itself but a "third party". Who else had access to such private messages? Someone at the company? Maybe, although that seems very unlikely given the company's awareness of how big an issue this would be.
Another obvious candidate is the NSA. Snowden has told us that it accesses and stores vast quantities of messages as they flow across the Internet; given the nature of the conversation, and the keywords it contains, it seems quite likely that it was added to a database somewhere, "just in case". Perhaps it was dug out at the request of GCHQ, which then passed it on to the company concerned -- in order to land it in hot water, and get MI5 off the hook. Just another benefit of being part of the Five Eyes club.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+