UPD Commons Intelligence and Security Committee Blames ISPs for Murder

It’s probably fair to say that most politicians can be a bit naïve when it comes to matters that require an understanding of ISPs and Internet communications. Sadly this also appears to be true of today’s report from the Commons Intelligence and Security Committee that effectively accused ISPs of failing to help stop the murder Fusilier Lee Rigby by not handing over key communications data.

The report covered a wide variety of areas as part of its investigation, yet by far one of the most interesting is the accusation that it levels towards ISPs and Internet content providers for failing to provide the content of a vital communication between the convicted murderer / terrorist Adebowale and an individual overseas (aka – FOXTROT).

It’s important not to selectively quote from this report as the context is paramount, thus we’ve pasted the key piece of text in full below and it’s well worth reading in its entirety.

Extract – Intelligence and Security Committee Report

Whilst our primary concern throughout the Inquiry was whether the Agencies acted appropriately given what they knew at the time, we have also considered material that has come to light after the attack. We have found only one issue which could have been decisive. This was the exchange – not seen until after the attack – between Adebowale and an individual overseas (FOXTROT) in December 2012. In this exchange, Adebowale told FOXTROT that he intended to murder a soldier. Had MI5 had access to this exchange, their investigation into Adebowale would have become a top priority. It is difficult to speculate on the outcome but there is a significant possibility that MI5 would then have been able to prevent the attack.

Given how significant this exchange could have proved, we have examined whether MI5 could have obtained access to it before the attack – had they had cause to do so (Adebowale was not under active investigation at the time the exchange took place). We consider it highly unlikely that the Agencies could have obtained it on their own. It would have required a particular chain of events: if GCHQ had issued the report linking an unknown individual (later identified as Adebowale) to another Subject of Interest (CHARLIE), or if MI5 had discovered Adebowale’s contact with another individual (ECHO), then MI5 might have sought to increase their intrusive coverage of Adebowale sooner. However, even then there may have been only a very slim chance that MI5 would have had sight of the FOXTROT exchange.

The party which could have made a difference was the company on whose platform the exchange took place. However, this company does not appear to regard itself as under any obligation to ensure that its systems identify such exchanges, or to take action or notify the authorities when its communications services appear to be used by terrorists. There is therefore a risk that, however unintentionally, it provides a safe haven for terrorists to communicate within.

Naturally today’s newspapers were full of similar regurgitated comments and quotes, such as this piece in The Guardian and another on Sky News, with almost none of the reports even bothering to consider the wider ramifications of what has been said. Incidentally the communications provider was apparently Facebook, although the post-report criticism appears to be focused on the whole industry from access to content providers.

Meanwhile certain politicians, such as the Prime Minister (David Cameron), were also quick to use the report as a tool to support their on-going calls for greater powers in order to snoop on everybody’s Internet communications, which somewhat overlooks the key failings of the MI5 and wider security services that are also expressed by the report.

PM David Cameron said:

“In December 2012, 5 months before the attack, Michael Adebowale had a crucial online exchange in which he wrote about his desire to kill a soldier. But the automated systems in the internet company concerned did not identify this exchange. And further, when they automatically shut down other accounts used by Michael Adebowale on the grounds of terrorism there was no mechanism to notify the authorities.

So this information only came to light several weeks after the attack as a result of a retrospective review by the company. The Committee conclude that “this is the single issue which – had it been known at the time – might have enabled MI5 to prevent the attack.”

…

We are already having detailed discussions with internet companies on the new steps they can take. And we expect the companies to report back on progress in the New Year. Mr Speaker, terrorists are using the internet to communicate with each other.

We must not accept that these communications are beyond the reach of the authorities or the internet companies themselves. We have taken action. And we expect the internet companies to do all they can too. Their networks are being used to plot murder and mayhem. It is their social responsibility to act on this.”

In summary, the report and PM complain that because an ISP/content provider didn’t or couldn’t provide the seeming content of a communication in which “Adebowale told FOXTROT that he intended to murder a soldier” then they are effectively complicit in the failure to stop it. It’s easy to see the logic in this unless you take a step back to consider the wider ramifications of what is being said.

Firstly current laws, including those that have twice previously been proposed as part of an expansion of Internet snooping powers (both of with have failed due to significant opposition and public concerns), only reflect basic access logs and do not include the content of your communication.

In fact it would be patently ridiculous to extend the blame to Internet access providers for being unable to identify such content as terrorist material, how could they even be seriously expected to do that? Short perhaps of hiring an extra member of staff for every ten customers or so just to read through all your private messages, or perhaps allowing security services unfettered access to everything you do or say online.

Lest we not forget how easy it is to encrypt communications and the sheer cost of logging and processing all that data (who pays?). In either case ISPs aren’t trained police officers and nor, as commercial companies with their own self-interests at heart, should they really be relied upon to make such judgments. On top of that we must always consider context (e.g. two brothers threatening to nuke New York might look suspicious, unless you understand the real-life chat they joked about earlier while off-line).

A Spokesperson for the ISPA UK said:

“There are existing legal processes for law enforcement to access communications data so it is wrong to suggest that the Internet is a “safe haven for terrorists”. It is for the intelligence agencies and not service providers to identify potential subjects, and when identified by the authorities CSPs can and do assist in providing communications data under a clear legal process.

The proposal that companies should monitor all communications online runs counter to the legal framework that underpins the Internet, which forbids unwarranted monitoring of customers’ communications. ISPA and its members are in active discussions around communications data capabilities, including the current Anderson Review, and the ISC’s report adds to the ongoing discussions.”

As the MD of ISP Andrews & Arnold (AAISP), Adrian Kennard, put it this morning, “Yes, if every communication is scrutinized, and every letter that is sent opened and checked, I am sure lots and lots of crimes could be prevented. Heck, if everyone was kept under house arrest, or locking in a prison for their own safety, we’d make this a much safer place. This report is nonsense.”

On top of all that the report also questioned why none of the major ISPs in the USA “regard themselves as compelled to comply with UK warrants obtained under the Regulation of Investigatory Powers Act 2000 (RIPA).” Procedures exists between the USA and UK that can facilitate the exchange of information for security purposes, yet outside of those we can see no reason why an ISP in the USA would regard themselves as needing to comply with the domestic laws of another country.

Security is always important but a truly open and fair democracy must also respect personal privacy and freedom of speech as a founding principal. The further away we get from that, the smaller those freedoms become until they are but a passing illusion in the wind.

UPDATE 26th Nov 2014

Added below an interesting comment from an expert in Internet security.

Professor Mike Jackson, Cyber-Security Expert at Birmingham City University, said:

“The inquiry into why UK security organisations were unable to prevent the tragic death of Lee Rigby has highlighted a number of shortcomings in the way those organisations operate. The focus of political attention however seems to be on the issue of an Internet interaction carried out by one of the killers.

The Prime Minister echoing the words of Director of GCHQ is characterising the Internet as place used by terrorists to plan their acts of violence. He is of course right, terrorists do use the Internet, we all do, it’s the major communication channel for the majority of people in the UK.

What Mr Cameron would like is for overseas Internet companies to do the work of the British security services. To sift through the many millions of postings made each day and notify the UK government about any concerns.

The size of the task seems to be daunting even if clever technological scanning solutions are employed. It looks even larger if you take the view that providing this information to the UK government presumably carries with it the duty to provide all governments with similar information. And how does Mr Cameron feel about these companies supplying information to the governments we recognise as repressive and antidemocratic?”