Plans to make it easier to snoop on emails and phone calls are causing a furore in the UK. In SA, such methods are already in place — and are routinely abused.
The Tory government’s plans are outrageous, civil liberty organisations in the United Kingdom said this week.
Giving police and intelligence services sweeping powers to monitor which websites people visit and intercept their emails, SMSs and virtually any other electronic communications without real oversight would be a recipe for disaster, they say, and once the machinery of surveillance is in place, it will inevitably be subject to abuse.
Andrew Lewman, the director of Tor — the internet anonymity shield used by activists in Iran and China — warned that no matter how noble a state’s initial intentions were, such surveillance measures were a slippery slope.
“Once the data is collected, regardless of the current intentions, it will be used for all sorts of reasons over time,” Lewman told the Guardian newspaper. “The number of crimes [investigated using such measures] will expand to include all sorts of petty issues, political repression, and restrictions on speech. Eventually someone will think they can predict crime before it happens by using the data.”
And that’s just if the use of such protocols is above board. The risk of abuse by state instruments is a more worrying concern — and anyone looking for case studies of how these increased surveillance measures might play out need look no further than South Africa, where state intelligence agencies can — and do — access citizens’ private communications illegally.
The newly revived British plan, confirmed by the government at the weekend, would allow intelligence services and police access to what South African legislation refers to as communication-related information — numbers phoned, the length of telephone conversations, who emails whom, and what websites are visited — retroactively, and without the need for a warrant.
Part of the proposal also involves the installation, at the cost of service providers and carriers, equipment that would allow the real-time monitoring of telephone calls and internet sessions, although that would require a court order.
Such information interception ability, the British government says, is vital for the investigation of terrorism and serious crimes.
It is not yet clear how the proposed British system will get around the problem of unregistered telephones or the use of public internet terminals.
In South Africa, the solution was simple: it is illegal to own or issue a SIM card for a cellphone that does not have the correct identity and physical address of the owner registered, and it is illegal to provide a telephone or internet service that cannot be intercepted nearly instantaneously.
The 2002 Regulation of Interception of Communication Act (Rica) put in place most of the measures now under discussion in Britain. Though it requires interception directives to be issued by a magistrate or judge, it also allows any law enforcement officer to bypass such requirements on the grounds of urgency.
Even those measures are routinely ignored, however, as the Mail & Guardian reported last year, citing numerous sources within the state security agencies who claimed illegal interceptions were a common occurrence, especially in police crime intelligence.
Even when surveillance is entirely legal, the sheer volume of such cases is cause for serious concerns about the wisdom of allocating the resources required. In South Africa, a staggering number of legal interceptions has been carried out: over a four-year period up to 2010 — before the most onerous requirements of Rica came into effect — just one of the state’s eavesdropping centre had legally carried out three million interceptions.
The most common justification for such mass government surveillance is terrorism, despite the fact that there is no compelling evidence that dragnet-type surveillance would impede terrorists in any way.
“The basic idea is to collect as much information as possible on everyone, sift through it with massive computers, and uncover terrorist plots. It’s a compelling idea, and convinces many. But it’s wrong,” wrote US security analyst Bruce Schneier in 2006. “We’re not going to find terrorist plots through systems like this, and we’re going to waste valuable resources chasing down false alarms.”
Spies, damned spies and statistics
The problem, in Schneier’s view, is pure statistics. Gather enough information and inevitably small errors become impossible to deal with, even ignoring the privacy implications. No system that relies on a combination of web-browsing habits and telephone calls to identify threats is perfect.
Assume that only one innocent citizen is incorrectly identified as a possible terrorist out of every 10 000 who are subjected to automated scrutiny, which would be an astoundingly low false-positive rate. Assuming surveillance covers every South African, for instance, and that would make for 4 900 people who would have to be investigated — each one of which would tie up resources that could be used in a far better manner.
“Finding terrorism plots is not a problem that lends itself to data mining,” says Schneier. “It’s a needle-in-a-haystack problem, and throwing more hay on the pile doesn’t make that problem any easier.”
Except, of course, if monitoring capability put in place to gather intelligence and evidence is put to use for both mass surveillance and mass arrests.
“From now on, anyone who regularly consults websites that advocate terrorism or that call for hatred and violence will be criminally punished,” said France’s President Nicolas Sarkozy shortly after the March shooting and siege in Toulouse.
Whether or not any such measure will actually be implemented once France’s presidential elections take place this month remains to be seen.