Privacy and Security – the Balance
In the first of a two-part feature, Director Steve Southern considers the delicate balance between the need for both security and privacy
The issue of privacy versus security is a one that interests and concerns me. There is a tension between privacy and security, and a balance to strike. Or is there?
I was contemplating this several weeks ago, long before I realised that David Anderson Q.C. the Independent Reviewer of Terrorism Legislation, was about to publish his report ‘A Question of Trust’ – a timely coincidence.
I served in the RAF in Germany during the 1980s, at the height of the Cold War. No one seemed overly concerned about privacy back then. In fact, I don't recall it ever being mentioned. The people I knew and worked with were far more worried about a potential Soviet invasion. But in addition to deterring the Soviets, my colleagues and I were engaged in a real war being waged in Germany and the Netherlands during the same period. The IRA was active on the continent of Europe and were targeting members of the armed forces. During my time in Germany there were several attacks by the IRA, including car bombs and shootings. Checking for IEDs under the car whenever it had been left unattended became second nature to everyone.
It was during my second tour of duty in Germany that I came as close as I ever want to get to a car bomb. I was living with my family at the Joint Headquarters Rheindahlen when on 23rd March 1987 an IRA car bomb detonated outside the Officers Mess.
Our house was maybe 600 metres away, but the bomb was later reckoned to have been around 130Kg and we certainly felt the force of the blast. The engine block of the car ended up wedged high in the branches of a tree some distance away from the scene of the explosion. You can read about this attack here: http://goo.gl/h0eJM0.
Fortunately no-one was killed on that occasion, although others were less fortunate in later attacks, including a serviceman and his six-month old daughter who were shot dead at a petrol station outside Wildenrath, a short distance away from Rheindahlen, in October 1989.
I know from my own personal experience that in any given conflict, or potential conflict, intelligence plays a vital role. I also spent five years in signals intelligence during my service career, working alongside and inside many of the 'agencies' that are now commonplace in media reports, including those about the now infamous Edward Snowden. What may not be immediately apparent or obvious to many on the 'outside' is that intelligence is vital in preventing conflict, and countless lessons throughout history provide compelling evidence of this fact.
In the sixth century BC, Sun Tzu devotes a chapter in his treatise 'The Art of War' to intelligence and espionage. He says: "Hence it is that which none in the whole army are more intimate relations to be maintained than with spies. None should be more liberally rewarded."
I'm not sure that Edward Snowden will be feeling very liberally rewarded, stranded as he now seems to be in Moscow for the foreseeable future. I believe that better intelligence could have prevented the IRA bombings and shootings in Germany and the Netherlands during the 1980s; better intelligence could have prevented 9/11; and I know from my contacts in the police and security services that better intelligence is thwarting terrorist plots on the streets of our cities every day. Of course it's not quite that simple. It's not only the quality of intelligence that matters, including its timeliness, but what we do with it that can really make a difference; sometimes between life and death.
Today we often have too much intelligence: "Nowadays the commander is confronted with too much information, rather than too little, and it is his informed judgement which ultimately decides what is relevant and important" wrote Hugh Faringdon in his book Strategic Geography: NATO, the Warsaw Pact, the Superpowers (The Operational Level of War). An excellent reminder that even in these days of big data and analytics, critical life and death decisions based upon intelligence are still made by humans, not computers.
I once worked closely with a senior police officer as I was helping him to push forward the Information Security agenda throughout the police service. He had great skill and credibility in relating Infosec to his personal policing experience.
A favourite example he would often cite was from his time commanding a tactical firearms unit. He would make the point that the firearms officers about to kick a door in would need accurate and up-to-date information about the people inside the dwelling, and especially whether any firearms were thought to be present. Inaccurate or out-of-date information in such scenarios could put the lives of officers and others at risk. Getting back to my point, there are endless examples of where intelligence has saved lives, rather than put lives at risks. So what about the other side of the coin, the concerns over personal privacy and excessive surveillance by the state?
I was recently chatting to a senior regulator source about potential changes to privacy laws being considered by the EU. He told me that these changes are being driven by large corporate entities in the US who claim that doing business in Europe is too complicated due to 27 nations each having their own slightly different data protection laws and regulations. The EU are therefore trying to simplify and harmonise data protection across all member states and if they succeed one consequence will be that our own Data Protection Act will ultimately be repealed. This is an act that to my mind has served us well, with clear principles about protecting personal information, backed up by some world-class advice and guidance from our Information Commissioner. How confident am I that a new single EU law will be an improvement? Not very.
Privacy issues are well documented, and campaign groups such as the Electronic Frontier Foundation are highly active in seeking to ensure that privacy is protected - something they regard as a basic human right. But how does anyone decide on what is an acceptable balance between personal privacy and state surveillance?
What may seem appropriate in one country may be viewed by a majority in another country as entirely inappropriate, and vice versa. Each individual citizen may have his or her own view on what constitutes an acceptable balance. Such views can become polarised, and in a modern democracy how are these many different viewpoints to be harmonised into an appropriate legal and regulatory framework?
I happen to think we've done a pretty good job so far here in the UK, but ultimately this all comes back full circle to the notion that we need to achieve a balance. There is however another viewpoint, one that I happen to share, which is that we don't really need a balance. This is not a new argument, and at its most simple it proposes that the innocent have nothing to fear from state surveillance and everything to gain. The fundamental question comes down to which do we value more, our privacy or our own lives and the lives of our nearest and dearest?
Personally I tend not to over analyse and for me, the state can listen to my calls, read my emails, watch me on CCTV, track my location, monitor my credit rating, view my social media activity, and ask me personal questions about sexuality, politics, race and religion in the interest of security clearance, if by so doing they can find that one vital clue which confirms that I'm plotting the next terrorist attack.
Of course in my case they will find no such clue, but for some individuals they will find it, and when they do it might prevent me or a member of my family being shot at, taken hostage, or blown to pieces. That works for me. I accept I may be in a minority, and I realise I am a product of my military and intelligence background, but it seems very clear cut; 600m away from a car bomb is about 10Km too close and I’m prepared to sacrifice a great deal of my personal privacy in the interests of never being that close again. But mass surveillance isn't the answer anyway, as it generates too much data, so the intelligence agencies are becoming smarter at screening out the majority of entirely innocent and blameless citizens like you and me. If they continue to become smarter, then perhaps we the majority can reasonably expect less surveillance, not more.
There's another angle to this, which has to do with how corporate entities respond to the issues, rather than how each of us responds as individual citizens. So while I may have a view on the balance between privacy and security - one that I've already explained above - that is not necessarily the view of my company, which may be obliged under law to respond in a certain manner when it comes to matters of privacy and security. And this is where Amethyst's expertise comes into play. We're not lawyers but we know the data protection law, and we know the ICO guidance and how to apply it, especially when it comes to things such as Privacy Impact Assessments (likely to become mandatory according to my source, if the EU data protection harmonisation goes ahead as planned).
I need time to absorb and consider David Anderson’s report, although I doubt it will change my personal view on privacy and security. See part two of this feature to find out…