Hintergrundgespräch: Internetüberwachung und Online-Terrorbekämpfung in Großbritannien
In keiner anderen Demokratie haben Sicherheitsbehörden und Geheimdienste mehr Befugnisse bei der Überwachung der digitalen Kommunikation der Bürger als in Großbritannien. Mit den Terroranschlägen der letzten Jahre wird eine erneute Verschärfung der Gesetze diskutiert. Vor einer Woche beschrieb die Premierministerin Theresa May in einer Rede zu den Anschlägen in London das Internet als eine Bedrohung für die Sicherheit des Landes.
Am 5. Juli 2017 um 18:30 Uhr ist Eric King, britischer Geheimdienstexperte und ehemaliger stellvertr. Direktor der Menschenrechtsorganisation Privacy International im Rahmen eines Hintergrundgesprächs bei uns zu Gast sein, um über die aktuellen Entwicklungen in Großbritannien zu berichten und diese einzuordnen. Das Hintergrundgespräch führt Thorsten Wetzling von der Stiftung Neue Verantwortung.
Es handelt sich um das Transkript des Hintergrundgesprächs mit Eric King vom 5.7.2017 in der Stiftung Neue Verantwortung. Der Text wurde zur besseren Lesbarkeit und zur Anonymisierung von Publikumsfragen bearbeitet. Es gilt das gesprochene Wort. Rückfragen zu diesem Text bitte an Sebastian Rieger (email@example.com).
Thorsten Wetzling: Today we welcome Eric King. It’s a great pleasure to have you, Eric. Eric is a British legal scientist, an expert on intelligence and surveillance, a former deputy director of Privacy International, a visiting fellow at Queen’s Mary University in London. Today I invite Eric to discuss with us and elaborate on recent British surveillance policy and reform. And after an initial round of questions, I open the floor and invite questions from the audience.
I presume most listeners, who come on a sunny day like this and want to know more about British surveillance, they do know a lot about the UK’s recent posture in intelligence and electronic surveillance. We hear Theresa May, Prime Minister’s remark on the country being too tolerant on extremism. But we also have this notion of the United Kingdom as a very liberal country, that for a long time hasn’t had any obligations on its citizens to carry ID card. And coming back to the initial revelations of Edward Snowden, it does seem to us sometimes like a paradox that there hasn’t been more pushback from the society or from the labour party. Maybe you want to explain that, if it really is a paradox and why?
Eric King: Sure. Hello everybody. So, in the last 4 years the UK has gone through what many countries have gone through with the public and the press and aspects of government itself getting to grips with the capabilities of modern effective signals intelligence agencies. The issues at the heart of it are very complex but legally and technical and there have been lots of contradictions and paradoxes as the issue has played out. Our politics in particular at the moment are complex. We have a conservative government, recently re-elected, although perhaps not with the strength of a majority that they wanted. But this has been an issue, that I think all political parties struggle with. Very few, I think, have developed expertise inside the parties on these issues. They rely a great deal on the agencies themselves to inform their thinking. And for a very long time there just hasn’t been the information to have a balanced, robust discussion about what we should or shouldn’t be doing.
And so, the Snowden revelations gave us that opportunity. I think a lot of people were involved. Perhaps it wasn’t on the front of the mind of every single citizen in the country, but for the last 2 years, as the law has finally been developed and passed, we also had the biggest constitutional change in Britain for 50 years, with Brexit. There has been a number of tensions on the mind. But we have a new law. And we are now implementing it.
Thorsten Wetzling: I saw a survey immediately after the Manchester attack in which 68% of the respondents were backing state powers to intercept encrypted messages like WhatsApp and Telegram. As a privacy advocate, it seems you often have to fight for a minority position in society. How did you get in your line of work?
Eric King: I used to work for a non-profit called “Reprieve”, who did a lot of investigation and work around Guantanamo Bay, extraordinary rendition and torture. My background is a lawyer but I am very nerdy. And I was interested in the mechanics underneath it. There was very little reliable information available to understand how these practices operate. So I left Reprieve and went to go join an organization called Privacy International, who has been running for 20 years. And I learned about signals intelligence for 3 years, 4 years, by sneaking into arms fairs and surveillance trade shows and finding companies making these tools and selling them to governments around the world. Number of years on, when the Snowden Revelations happened, I think that was what enabled some sectors of British society, the non-profit sectors, who had been involved in that, to have a more forthright response than they might have been able to years before that.
Thorsten Wetzling: In December 2016, the most significant intelligence legislation in recent German history was finally put on the books. At the same time the United Kingdom passed a similar legislation – the Investigatory Powers Act. What are the main powers that the British intelligence community received from that?
Eric King: If you ask the government, the act doesn’t give them any new powers at all. These are powers that they have had and that they have operated for decades. Unfortunately, the reality is slightly more conflicted. As far as I am concerned, the majority of the powers in the Act are ones that Parliament hadn’t previously consented to. So there was broad powers permitting the agency to undertake activities, which the intelligence agencies had interpreted to grant them authority to undertake things like hacking operations. But when those laws were passed 10, 15, 20 years ago, discussion of hacking for example wasn’t around. So there is contrasting views about what is new in this bill and what isn’t. Nevertheless, for the first time in legislation we have, I think, a pretty honest account of what the British security agencies do. And those are mostly the bulk powers, that is bulk interception, so the large-scale interception of communications from telecommunication networks.
Another power, called bulk communications data acquisition, which is the power they used to compel telecommunications companies to provide information to them in a structured way. It’s an easy way to make use of the information. A power called Bulk Personal Datasets in which they compel private companies or acquire them via other means, the information that a company might hold about its customers or health records or service records or something like that. And the agencies can then integrate them and search them via single interface. And bulk hacking powers. And the bulk hacking powers are particularly interesting because they give a hint as to what the agencies want to do more of in future. The bulk hacking powers are permitted when the agency wishes to undertake a hacking operation but it cannot determine for itself whether or not it would be necessary and proportionate.
They cannot make that analysis, in part because the scale of the hack which is so broad, that it would be difficult for them to handle the part legitimately, say we can predict the full consequences of this. So instead they say, well we won’t make that determination at the warrant stage. We will undertake the hack. Once we have hacked, we will see just how many people we ended up hacking. And then we will roll back and start applying safeguards. It’s really turning existing legal principles around. It was the topic of a lot of debate, but this is the new power they have got. And the final thing, I would be remiss if I didn’t say, is that while those powers relate to the intelligence agencies themselves, the police have also been given very formidable new powers. In the UK they ended being called “Internet connection records”.
Thorsten Wetzling: The critics call this law the Snoopers Charter. Some even call it the most extreme surveillance measure in the history of western democracies. Supporters of the bill say: Look, we only legislated what we are actually doing and that is a lot more than other countries are willing to do. If I were to press you to name just a few very good pieces, what would you say these were?
Eric King: The first thing I can absolutely give the government credit for, is transparency. Previously, I also lecture in law on this issue, and prior to this I wouldn’t have been able to teach a course on this topic, because I would only have had a few paragraphs of statute that I would constantly be referring the students to. Whereas now I have 300 pages. Now just because something is lengthy, doesn’t always mean it’s better, but you have to give the government credit for at least setting out in reasonably plain language, what it is that they are doing. Another thing I think is a significant improvement, for the first time we have judges having some role in the process of warranty. In the UK, I think reasonably uniquely in the world, our government ministers have been both the people seeking the warrants, or at least it’s the agencies for whom they are responsible, who are seeking the warrants. And it’s those same ministers who signed the warrants.
And this has been the case in Britain since we have had out intelligence agencies. And for the first time we now have judges scrutinizing that process, although they are only reviewing the minister’s decision. They are not re-taking the decision themselves. So it’s not a perfect outcome, but it’s a significant improvement. And finally I’d say, the opportunity for new oversight is there. We have had a very fractured oversight system, lots of different agencies with unclear mandates, that cross against each other and this has all been brought into one place. And the hope is, that this will now enable much more robust oversight that we have had in the past.
Thorsten Wetzling: I have noted recently, that there has been the IP Act, with a number of bulk powers and the internet connection records as a power given to the police. For those powers there have been now codes of practice that the UK Home Office has published. In Germany security legislation, you will often find that there will be references to additional executive decrees that are confidential. Once published, do you find these codes of practices are of particular value when it comes to transparency?
Eric King: If you are not a lawyer, for example, and you want to understand the Act, if you begin by reading the codes of practice, they provide an insight on how these powers work in practice. They are part of our legal framework but they have a lesser status than pure statute themselves. And when they were released, we expected their release, they required to be released, it was an interesting test to see whether or not the government were going to try and sneak, perhaps I should not be so pejorative, but clarify different aspects that wasn’t clear on the face of legislation. And there were a number of things that were new, despite having spent the prior year looking at these 300 pages of major statute. There were new things in this but part of the interest was also what wasn’t in there. And one of the key parts of the code of practice that we were expecting to be made public were never revealed publicly. The government decided instead to consult, not with a wide sector of stake holders, but hold private consultations only with companies. And this code of practice related to the government’s ability or claim to be able to compel service providers to break or remove, I should say, end-to-end encryption.
Thorsten Wetzling: Coming to the internet connection record system, because that got a lot of attention also in Germany. Data is retained for 12 months. It is shared. It can be shared with a variety of different agencies. The Education system. Health bodies. Can you work us through the notification system? If the government wants to compel business to cooperate with this, how does it go about doing it in the UK?
Eric King: The internet connection records are a new creation. There is no other country in the world that has this idea, this framework. And the police and our government have been pushing it for the last 7 years. They had been very persistent upon this point. And at its heart is the idea that they can order telecommunications companies to install technical equipment into their systems to gather information about their customers’ internet habits. And so the goal for the police would be to have a detailed log, an internet activity log, as it were, of every single thing you do. Email, searches, website visits, that sort of thing. Now the question will be, whether or not this is lawful. Data retention has been struck down by the European Court of Justice a few years ago. We have had other challenges in the UK and we now don’t know whether or not the government will try to introduce this or potentially re-write the legislation.
Thorsten Wetzling: Looking at the powers that the UK government has to its disposition, is there some audacity on the part of the British government to ask more? Can you even think about something that they want to have, that they didn’t get in the IP Act? Is there room for more?
Eric King: If there is, I haven’t been able to think of it yet. It puts the government in a difficult position at this stage. We have had 3 terror attacks in recent months. And the response has been different to how I’ve seen it been portrayed in the press previously. And this is because the most, the agencies and the government have passed and got essentially every capability and power that they have been asking for, for the last 7 or 8 years. Not all of these have been enforced. There are aspects that won’t come into effect for a year, but given that these powers have been granted, obviously you can never have 100% security and attacks still happen. For the first time I begin to see the press beginning to question, are there other factors at play? Is it not just raw capability that drives this? And that has gone into 2 directions. 1: it’s gone a lot of aggression towards American, mostly Silicon Valley, companies, with the press and government both saying, that they have a greater responsibility to be assisting and proactively monitoring for content. The other has been a criticism of our now Prime Minister Theresa May for our program of austerity, cutting back police numbers. And the big concern being, that unless you have community policing, these attacks cannot be stopped. Which I think is a really interesting shift, or a beginning of a shift from saying that it isn’t just the agencies with this incredible power that might have a role, but it is traditional policing, working with communities that might also be equally important.
Thorsten Wetzling: So let’s say, can the British government already with the IP Act in mind serve a notice to a British or any international company to remove end-to-end encryption? And have they done it? Are they planning it?
Eric King: So, in the UK law the power that could be used is called the Technical Capabilities Notices, which allow the government a wide discretion to serve these notices on companies, to require them to provide technical capability to assist them. Now this is not a new concept. We have always had it in previous legislation. But they used to be narrower in scope. So they used to apply to a telecom’s company to provide technical capability for lawful interception. And so they would be employed in a narrower format. The new wording essentially allows this old power to no longer just be applied to large telecommunication companies, but what the Act calls “telecommunication operators”, which is very widely defined to include people that provide webmail or anyone that runs an app. So, all of a sudden anyone involved in communication in any part of the chain could have this notice served. As for whether or not they could compel a company to remove encryption is a matter of debate. I mean, on the face of the legislation the answer is yes.
The power is that broad. The interesting question is: “Would the government do this?” And that is what is much more complex. To serve a notice on Apple, for example. What will Apple say? Well, based on what we have seen with Apple and FBI, more likely that not they would refuse. So what will the government then do? Well, they would have to take enforcement action against Apple. Would they? I don’t know. And once in court, the question is not going to be about national security. The question is going to be about whether or not the British government has the authority to compel a company on the other side of the world with its law. And so it’s going to be a question of jurisdiction. And I think the government knows it will lose that fight. And so this legal power is almost like a chip in a game of cards. It is a game of kind of politics, where there is this potential compulsion. But I think, the government is terrified of using it, for fear that it can’t actually compel anything. At least on the international stage.
Thorsten Wetzling: You mentioned courts. And you also mentioned earlier on that the IP Act provides an opportunity to improve and professionalize the oversight system. There are plans for a technological review panel. Are judges in the UK sufficiently trained to understand? Would they need more training? How is your assessment in this?
Eric King: Any oversight body has a lot on its plate. First of all, they are integrating 3 existing government agencies, which is no simple task. The second thing, is that they are going to have to hire a number of judges, or select from a pool of judges to begin to sign and review this warranty. Judges have never done this in the UK. How you begin to build up the understanding of what will almost certainly be judges who are at least age 60, because they will be essentially of High Court status and above, I think our youngest High Court judge is perhaps in their late 50s, I think it will be a challenge.
I mean, I find this incredibly technically complex and I am looking at it all day, every day. We also have challenges because the way the law is written means that these judges will be signing the warranty or reviewing the warranty but they will also be responsible for reviewing whether or not their decisions were right. And so there are complex aspects of how the oversight body will function itself, that I think will be challenging. And I think this is at a time in which the agencies will be pushing the scope of what is possible in this warranty again. So I think, while I am very, very hopeful, there’s a number of challenges that oversight face I think.
Thorsten Wetzling: There is litigation at the High Court. Can you elaborate on some of the challenges that the IP Act faces?
Eric King: The IP Act is under fire from all sides. I think one of the most frustrating things about campaigning for a year on a law, is that we might have a completely different law in about 9 months’ time, when various courts make decisions. I don’t think it’s a good way to govern, to be constantly rewriting and resetting legislation on the basis of courts. But that is how we got. So we have a number of cases that might end up binding. The first is, litigation that I was involved in while I was at Privacy International against our prior piece of legislation. That is now with the European Court of Human Rights and that is dealing with the question of bulk interception. Is it necessary and proportionate at all? Now while any decision that is made by that court obviously relates to an older piece of litigation, the principles behind it immediately apply to the existing law and should a strong decision be made by the court, a new piece of litigation will be brought domestically straight away, I imagine, to bring that into effect.
There’s also cases against the bulk hacking... the hacking powers that have gone up to the European Court of Human Rights. There is also cases against the bulk communication data powers that are also on the way to the European Court of Human Rights. And since the act was passed, a judicial review to the High Court has also been taken as a facial challenge to the law, saying in and of itself at the moment, it felt confined to human rights’ principles. So, if the government’s goal here, which it was in part, was to kind of overhaul the system, fix as much as they can in an attempt to reassure the public and civil society, who has been very critical of it, I don’t think they are going to be very happy with the outcome. Because while we have a set of improvements, they are going to be constantly having to re-look at this, defend this, both in court and in public, because very few were satisfied with how the bill ended up.
Thorsten Wetzling: I think now is the time to open up the debate and I invite questions. Any of you feel interested, please do.
Member of Audience 1: Thank you. Perhaps I start with a boring question. If you were just to hypothetically put yourself in the shoes of a UK intelligence agency, and look at those powers, what would you do in this role?
Eric King: So, I think the greatest challenge that the agencies face is not with whether or not they have the legal authority to undertake activities. I think the greatest challenge that they face is their ability to decide priorities of who they should be targeting, which resources to devote to that and how to move quickly with the changing threat environments. They now have the capability to do more or less anything that is imaginable. Of course that doesn’t mean you can stop every attack. Far from it. And in the last couple of months we have seen the agencies trying to explain this challenge. They have 5000 people on a kind of active monitoring list in the UK at all times. Even with all these capabilities you cannot apply all of them against all these individuals at once, let alone analyse all of that information, let alone make decisions on the back of that. So I think the next set of debate about our security is not about the capabilities itself necessarily, but how can and should agencies improve their, what we would call in the UK, triage capabilities. I think that is really tough.
Member of Audience 2: I remember Theresa May saying that she wishes international internet regulation to be done in cooperation with likeminded democratic countries. Have you any idea what she is talking about and how this should look like?
Eric King: No. But perhaps I can try and provide some context, which might be helpful in trying to understand it. Theresa May was our Home Secretary for 8 years and in that role she was regularly fighting against technology companies, mostly in the US, on all sorts of issues. And you can see that this has been an issue for her right the way through. She doesn’t like the idea that the British government doesn’t have the ability to reign in or force technology companies to do what she thinks they should do. She doesn’t like it, you know, you can see that. There were lots of references in the conservative manifesto to what might be done and I think it was, was it the G8 meeting recently? Where she was going to try and propose a set of rules, but we had about 4 days’ worth of press in the UK where this issue was being floated. You could see that she was gearing up for something. Then she didn’t lose the election, but she lost a significant part of her mandate and I haven’t heard a single thing about this since. And I imagined that all, I imagine it has dropped until the conservative party of Theresa May herself is in a much stronger position, which might be a little while.
Member of Audience 2: So this is not related to intelligence or anything specific. It was just a general statement against terrorism.
Eric King: I imagine it’s mostly… I think the things front in her mind are countering violent extremism and obligations on companies to proactively monitor for contents and work with the police to take things down quickly. And I think it’s also the ability for UK law enforcement to get immediate real-time access to conversations, messages taking place on US- or international services.
Member of the Audience 3: Is it true that MI5 has the right to kill anybody that they decide it is wise to kill?
Eric King: MI5 almost certainly, although who knows, don’t. It’s more complex around the situation with MI6. MI6 are James Bond agency, externally facing. And while former directors of our intelligence agency have always said that’s not their business, they don’t undertake those sort of operations, when you ask questions in parliament, as to whether or not section 7 of the Intelligence Services Act, which is potentially the so-called get-out-of-jail-free card that would remove criminal liability for undertaking those sorts of actions, the government has never itself given a clear answer to parliament on that. So I can’t probably assist you beyond that.
Member of Audience 4: Playing Devil’s advocate. In Germany there has been a problem with intelligence agencies. Right after an attack they always claim they need broad capabilities and broader allowance to do certain things. And there have been a few cases, for example the Berlin Christmas market attacks, where afterwards there have been signs or theories that they already had information about that attack, which they did not follow correctly. So it seems a little bit like, I don’t know whether it’s the same in Britain, but for example the copying of mobile phones from persons who want to enter into the country is a very broad spectrum. And it seems a bit like they are desperately trying to use certain happenings to broaden their allowance and playing Devil’s advocate, it’s a little bit like Orwell that they don’t take as a warning but as a manual.
Eric King: So they… I don’t always… so my view on this issue doesn’t always win me friends with my civil society colleagues, but I would expect that the agencies would have had some contact in some form, by “contact” I mean would have some information, having intercepted something, have a human source about almost everybody, who is in any way a threat, at any point to Britain. So the idea that, if an attack successfully takes place against, or in Britain, the idea that it would be undertaken by somebody who the agencies are completely unaware of, I think is incredibly rare. Now, what follows from that? Is it that they need more information? Or they can’t analyse what they have got? For me I’m coming back to the same answer we had here, which is that it’s really hard to make those sorts of decisions, I think. I think it’s just very, very challenging. And you are constantly adjusting different ways to try to assess that. And I imagine if I was in that job, I would probably say, if I had more data, that might help me. I don’t know whether or not it would. I think I am sceptical of that. But at the same time I am sympathetic to the challenge of trying to work out who is more likely to commit an attack than another. I think that is really tough.
Thorsten Wetzling: Before I move one with a question, I would like to piggy-back on that, if I may. There will be a review by Anderson, who has been the former counter-terrorism legislation reviewer. Can you elaborate please on his mandate? Because there have been a series of attacks and what will he investigate?
Eric King: So after any attack in the UK our agencies always conduct a review of what did we do wrong, or what could we do better next time? What mistakes were made? And this time, for the first time in the history of the UK, I think, there is no model for this anywhere else in the world, the agencies will undertake this review as normal, but David Anderson, who was our independent reviewer of terrorism legislation and recently he has passed the role on to somebody else, he is going to be providing independent assurance of those internal reviews. So the agencies will look back and see what went wrong, what they could do better and the government have asked David Anderson to come in and look at that, probe that further, ask questions and presumably satisfy himself that the conclusions that the agencies reached are correct. As to the scope of that and how he will do that, it’s anyone’s guess. As I say, this model is new. There are not many other precedents to follow. I am looking forward to seeing what he says.
Member of Audience 5: Thanks for your talk. Is there some kind of security, some kind of evaluation built into the laws being passed now? Because, I mean, usually I would say the scientific view would be, okay, we have a problem, then we try to fix it and then after 3 years we review whether this is a fix to this. To me it seems, similarly in Germany, there is just a very basic belief that this might help. And then everyone believes it and it becomes a reality and you know, and it moves on to the next step. But are there some evidence that supports or counter-supports… My question is that there has been research on video surveillance in London as the most heavy… I guess everyone knows about it, being not really helpful by the Scotland Yard for example. Okay, so what is the result of this? How can this be applied here?
Eric King: So yes, there is 3 parts for me, here. The first is whether or not the laws and the powers themselves are effective. Do they work? When this law is being passed, one of the things civil society successfully pushed for, was a review of whether or not these powers are effective or not. Time was tight to get the law passed, but the government conceded that a review should be undertaken. And so they instructed David Anderson, same guy, this time when he was in position, and he undertook a review of whether or not there was an operational case for the bulk powers. Now it is a very good report. It’s very detailed. I encourage everyone to read it. However, he had a limited amount of time. I think it took 3 months, 2.5 months to do this review. So there are many more questions to be asked there. But that is a really interesting report to look at. He gave everything the thumbs up. He said everything is.. can be helpful.
Although he didn’t make any claim to whether or not the powers were necessary. He just said they were helpful. The second thing I’d say, is that the new oversight body has a role to some degree of reviewing whether or not these powers are necessary and tied to that necessity is obviously an assessment of whether or not they work. It’s not necessary to have a power that is ineffective or inefficient. In theory the oversight bodies have a mandate there. It’s a very difficult thing to do. I hope they bite into it. But I don’t know. And then the final thing I’ll say, is that during the campaign one of the core asks that we made, was that this law should be treated as a similar piece of legislation which we have in the UK, which is the Armed Forces Act, which every single year comes back to parliament and gets reassessed. And the reason we said that this piece of legislation should be treated this way, is that technology moves so quickly, passing a law that is meant to last 15 years, it will just provide for abuse. There is no way that you can pass a law that will operate in the way that it was intended 15 years before. Because no one can know what is going to happen in 15 years. It doesn’t matter how smart you are. And so we said, that this was a really big problem in the law. Because instead of keeping things restricted, the government wanted this law to last and so they provided a massive amount of flexibility and wriggle room so that it can still be enforced. I think this is a mistake. I think we need to start looking at this legislation in much shorter timeframes.
I don’t normally advocate for this in any other arena, but I also think it should be technologically specific. In most other areas I would say we want technology-neutral laws. Here I think it is so important to say exactly what you mean, because as soon as you come up with abstract concepts, as technology changes, you don’t know how you will fit in them. If parliament’s job is to set a balance between security and privacy to some degree, then what they are preserving is that equilibrium. And if you provide a very broad language, it seems to me that over time that equilibrium will change in one direction or another.
Member of Audience 6: I was wondering, do you think that there is a position for middle ground? we are talking about most of the culprits already known or on some list. I look at the ruling for data retention. It would in principle allow data retention for a limited group of people. Do you think there could be a limited approach, like “surveillance light”, where you start collecting data for a limited group of people, not that bulk power?
Thorsten Wetzling: And the second question, please?
Member of Audience 7: I remember recall Theresa May saying in the run-up to the last general election, not quoting her precisely, but something to the effect: If human rights get into the way of fighting terrorism, we might as well get rid of them. She is not the first politician to say that. I remember similar phrases by Tony Blair, who spoke about human rights being so 19th century. Against the backdrop of that, how likely in your opinion is it, that the UK will actually leave the European Convention on Human Rights, an international Human Rights Treaty, which Great Britain really initiated in 1948 or 1945? And you spoke about lots of cases before the European Court of Human Rights. So how do you assess this likelihood?
Eric King: I don’t want to predict… I think I would be a terrible judge of predicting British politics at the moment, so “I don’t know” is the honest answer. But again Therese May has in particular had a real issue with the European Convention. I think her party, the conservative party, have pushed for the repeal of the domestic legislation, which incorporates that, our Human Rights Act, I think, for the last 6 years. Despite that being in their manifesto for the last 6 years, it never managed to bring anything forward. And in part it is because, what would it say? The question that comes up is: “Which human right do we not believe in? Which ones are we going to get rid of?” And instead the conservative party says, we are going to have a Bill of Great British Values or Great British Rights and Freedoms. You know, honestly, what they are, I have no idea. I do not know. I think she wants to get rid of… I think, if it were up to here entirely, she would remove Britain from the Convention tomorrow. But there’s enough smart members of her cabinet, who don’t take that view. And I think, politically it is very difficult to do for the moment. I guess the one final thing I will say, is that in her Lancaster House Speech, her speech setting out Britain’s view on Brexit, she said as a red line we will not ever be under the jurisdiction of the European Court of Justice of the European Union. And more and more there is speculation that the person, who wrote the speech didn’t understand the difference between the Court of Luxembourg and the Court in Strasbourg. Because any future trade arrangement has to be subject to the jurisdiction of some kind of supranational cause.
Now the government is saying, ah, it won’t be the European Court of Justice, but something similar. How this is going to work, I don’t know. But there we are. And Klaus, yes, I think middle-grounds on these issues are always worth exploring on data retention. I think it’s very complex because I don’t know how you do it in a way that doesn’t become discriminately, which for me suggests, that you don’t do it. For many law-enforcement officers I speak too, they say, we don’t want to do a limited subsection of data retention because it would be discriminatory. So we will avoid that by doing it to everybody. I say, I don’t want to violate the rights of a group any more than I want to violate the rights of everybody, but I think they will really struggle with that.
Member of the Audience 8: I am wondering, the intelligence community has a couple of missions, one of which is fighting terrorism. Another one might be fighting organized crime, fighting drug use, which falls into the organized crime realm and industrial espionage and strategic espionage. I am wondering, do you have any insight about the division in terms of percentages? How much of the resources are allocated to which sector? Do you have any changes in the past, perhaps because terrorism is suddenly more important than industrial espionage? Has there been some re-allocation by the intelligence community in order to address this topic of terrorism?
Member of Audience 9: You mentioned that the traditional policing methods and community policing. Do you have any insight into the recruitment of the agencies, whether there are any sociologists or let’s say, people who try to understand the importance of community policing?
Eric King: I don’t know the break-down of professions within the agencies. I’d imagine that they have explored it significantly, not least because one of the more controversial programs we have had in the UK recently is our “prevent program”, which is aiming at acting earlier on in the life cycle of an individual becoming radicalized. And the way that they have attempted to make those interventions is by placing obligations at schools and at universities to monitor students, if they see them viewing extremist content or developing extreme ideologies, “extreme” is obviously not defined, then they need to report them to the police. I think there has been a great effort to do it. I am not sure it’s focused in the right direction. I am not an expert on that aspect. Certainly if you speak to law enforcement officers, who are much more public facing, they really are very critical of how our interior ministry, our Home Office has made its decisions, because it’s the community police as part of our counter terrorism units that have faced the most significant cuts in recent years.
And I think people are very concerned about that at this point. And the other question as to the break-down of agency focus, there was a Snowden release in the intercept, which very unusually broke down the priorities that the joint Intelligence committee of Parliament, sorry, not of Parliament, the joint intelligence committee which sets the goals of the intelligence community for that year, so they say this is what we want this year and this is the things within this and they assign priorities to all sorts of things. Strategic monitoring across Central Asia, etc. etc. It’s a 170-page pdf listing that is in extraordinary detail. I have never seen anything like it in any other country. It provides fascinating insights. Very roughly, it’s about a third focused to terrorism, 20% to nuclear non-proliferation, and kind of breaks down from there. Although I imagine that a significant proportion, though I don’t know what, might be more directed at Brussels now than it was a few years before.
Member of Audience 10: [inaudible], so why has that persisted for years in the UK and through the IP Act as well?
Eric King: So whenever I think I have an answer to that, I realize that I don’t. There has been no common thread for why in the UK we don’t, or at least that I can discern, as to why we don’t permit intercept as evidence. It originally came from not wanting to reveal source and methods. It then became a question of not wanting to undertake the process of disclosure, the idea being that in all other areas, if the police have material that might exculpate a defendant, might provide an alibi or would assist their defence, they would have an obligation to hand that over. And the police in particular didn’t have the funds to do that. And so it was a cost issue for a long time. Then it became the fact that the way that the systems were built wouldn’t hold up in court anyway.
But we have had 7 reviews in 10 years. It’s never been resolved. The absurd thing, as I know you know, is that while intercept evidence isn’t used in court, hacking evidence can be used in court. Now if you ask law enforcement officers why that is, they say it would be very useful. And I say, well, yes, I agree, but so would intercept. So why the difference? They don’t have an answer. You ask the question, well what if you used the malware, the hack, to obtain strike calls that would be otherwise be obtained with intercept? Will you used that? And they say: “I don’t’ know.” So I think they’ve learned their mistake and they want to correct it for hacking going forward and will fuzz it for the intercept cases.
Member of Audience 11: Julian Assange, I think the Swedish have dropped their claims against him. Why can he still not go out of the embassy?
Eric King: So he breached bail conditions because there was a police warrant for failing to appear for the extradition. And so breaching that condition, he has committed a criminal act. And so, I imagine that, well…
Member of Audience 11: … Sweden and since Sweden itself stopped it, it doesn’t make any sense to keep him there.
Eric King: He would have to go before a judge to get the fact that he breached his bail conditions lifted. He may win that. Your analysis of the legal position might be correct. But the breach doesn’t automatically drop away, simply because the reason for the breach no longer exists, it still is there, irrespective of whether or not the original reason for it has now evaporated. And so it may be that if he went before a judge and made his argument, that this no longer needs to be in place, he may win that. My understanding is that that would still require him to leave the embassy to go and test that. And I think at the moment the advice he is probably receiving…
Member of Audience 11: Is there a warrant put out on him by the United States?
Eric King: I think there is no extradition warrant that has been served. And I think the British police have said that and confirmed that a number of times, although the grand jury investigations in the US seems to be kind of ongoing.
Member of Audience 11: I hear tax payers are paying thousands a day for keeping him there and watching him all the time. How is that justified then?
Eric King: The police knocked it down a few years ago. I think there was previously a 12-man team. Now it’s a 2-man team. I don’t have the answer.
Member of Audience 12: I wanted to ask a Brexit question. The Brexit negotiators have made security policy a central bargaining chip of Britain in these negotiations, and said that is why they got to get a good deal on economic freedom and these kind of issues. Do you think it is a realistic bet, given that security cooperation happens a lot outside the EU structures anyway?
Eric King: I am not sure that the bets the British government are making at the moment are always good ones. I think on this issue it is even more complex. You know, key to information exchange even at the police level is that there are protections and frameworks for protection, which if we leave and don’t continue to implement equal protections, mean that we will potentially not be able to provide information or receive it. Likewise, lots of those agreements require the bodies to subject themselves to the jurisdiction of the European Court of Justice again. If Theresa May’s line on that is right, then we have to renegotiate all of those aspects, so it’s very hairy. As for whether or not the intelligence agencies as part of police cooperation and border cooperation, I mean, I would hope that Britain would continue to share, regardless, I don’t think it’s honest or genuine to say, that they would stop sharing intelligence that might result in deaths. I think that in times of pressure I would hope that they could not live with that. As to how successful the bargaining chip will be, I don’t know.
Thorsten Wetzling: Further questions? You have one.
Member of Audience: 12: You mentioned that Theresa May would like to apply UK law extra-territorially to US companies. Obviously that is a tit-for-tat game. Do you think she is prepared to accept that law other than the British law is being applied to British companies likewise? And where do you think that would lead us?
Eric King: It’s a question we did highlight to her in meetings, personally and also in parliament. But it was never a question that was responded to directly. I don’t think it leaves anyone in a good position.
Member of Audience: 12: It seems that the United States is applying its law extra-territorially, particularly in hacking cases. [inaudible ] Over a 100 countries were affected by the hack, well, more precisely users in over 100 countries. So in other words, well, I am not a lawyer, so I can’t really come as a judge on this case, but is there some breach of international law?
Eric King: Well it is complex. The issue in those sets of cases, you have the cases where the US government and the FBI are trying to force Microsoft to hand over information, that resides in one of their cloud services. But the data is stored in Ireland. And the question is whether or not that is within the jurisdiction of the FBI, to order. Microsoft say no, FBI say yes. You know, that is a very difficult thing to solve, because I don’t think any of the theories of jurisdiction work out very well. Is it where the individual is, for who the information relates? Is it where the data is about him? But that doesn’t really make sense, because in those cloud systems data is replicated in multiple centres around the world.
Or is it where the company is, who might have access to it? At some point you have to make a common theory on those jurisdiction questions and I think it’s pretty difficult to unpick. And on the hacking question, I think part of the issue here, was that the FBI wasn’t honest with the judge that signed that warrant. It didn’t make clear to them a) the type of technique they were going to be using, let alone where those users were. That hack, certainly in my view, resulted in criminal offenses in the UK, because people in the United Kingdom had FBI malware on their computers and there was no British authorisation for that, at least nothing public, which means it’s an offense under the Computer Misuse Act. Now whether or not our police will investigate that, it seems very unlikely, because they are now following up on those prosecutions of those individuals, using the information passed on by the FBI.
Member of Audience 13: I have a question regarding the new legislation. Does it mention in any section cooperation between international service, fly-bys, or even more when we get to the question of illegal information being gotten from other services and being used in the UK. I mean we all hear these stories. There is a kind of play selling information, which may have been obtained illegally. Is there any mention of that?
Eric King: The Act itself doesn’t mention the fly-bys but it does mention intelligence exchange in cooperation and it does set some rules on that. However, all of those rules are discretionary at the whim of our Prime Minister in particular, so from my perspective, the rules governing in intelligence sharing are probably better than many people think they are, but the best way for government and the agencies to show that is to release them. And I have often pushed for those releases. We have not been successful, but we also have another… Or my old organization, Privacy International, took litigation to try and secure the release of those intelligence sharing arrangements. That’s now before the European Court of Human Rights as well.
Member of Audience 14: Do you think it’s the people’s argument to put the data security and data integrity of a citizen to a disadvantage to ensure an international information gathering capability for the government? Do you think that is an acceptable way or do you think there is a plan to do it that way?
Eric King: The short answer is “no”. I don’t think that is acceptable. I think if you ask many people in the agencies, though they would also say no, but how they view those risks might be different to how I view them. And one of the problems on this debate, is the lack of technical proposals form government to try and test these issues. We have had stuff from 10 years before of course, but I don’t know what the government proposal is now, technically. And so until you see that, we just end up using metaphors to describe front doors, back doors, golden keys, etc. And we need a technical proposal to assess it.
Member of Audience 14: The German government had a technical proposal, with the experiment of what they called the E-Mail made in Germany, which they advertised as an end-to-end encryption of communications, which was proven to be just a transport encryption and the messages were stalled in plain text on government owned servers.
Eric King: That legitimises the reason for the concern entirely.
Member of Audience 15: There is this argument going on, that there has been a cultural change in the intelligence community post-Snowden. More open or transparent for intelligence agencies. In Germany we haven’t seen that much of this change, I might argue. I wonder whether this is true for Britain as well? Are they becoming more open or are they engaging in public relations more?
Eric King: I think they probably are. In fact, they definitely are. They now have all Twitter Accounts. They are much more involved in other branches of the government. They have devolved aspects of their cyber security into a new wing of GCHQ, which is much more public facing. In talking, if you ask journalists, who are regularly talking to the agencies, rather than just saying “no comment”, they will now regularly brief for 2 to 3 hours, which is something the GCHQ has never done. We even had them providing a comment other than “no comment” about 2 months ago. Although it was them saying that the allegations in the US that Trump had made, or that Obama had directed GCHQ to spy on Trump were deceitful and entirely false and fictitious. I think that is the first ever comment from GCHQ. An odd story for them to do it for, but maybe it’s a beginning of a new trend. I don’t know.
Thorsten Wetzling: That’s an assessment of the temperature we have in the US-UK intelligence. That was actually a question. I meant to do that, but we will do it later. Let me please say that it has been a real pleasure to have you here, Eric. We appreciate your knowledge and I think we have a good account of what powers were given to the UK intelligence community. Some powers are not yet tested. Some judicially reviewed. Others not tested because of political calculus and I think it has been great and thanks, Eric.
Thorsten Wetzling: And there is drinks outside.
– Ende des Transkripts –