Stopping the Spies. Jane Duncan

Чтение книги онлайн.

Читать онлайн книгу Stopping the Spies - Jane Duncan страница 8

Stopping the Spies - Jane Duncan

Скачать книгу

standards.24

      CALEA and ETSI standards have become internationalised as the surveillance standards for many countries.25 According to the communications security expert Susan Landau, while these standards have made surveillance of digital networks easier, they also introduced security vulnerabilities that have been exploited by intelligence agencies and criminals alike. Between 2004 and 2005, still-unidentified individuals exploited the inherent weaknesses in these interfaces to intercept the communications of senior Greek government officials for ten months, until the vulnerability was discovered. Over six thousand Italians, including judges, politicians and celebrities, also had their communications intercepted by criminals over a period of a decade.26 In 2012, in the wake of massive abuses of internet freedom by regimes desperate to cling to power in the Middle East and North Africa, the Directorate-General for External Policies of the European Parliament called for a reconsideration of some ETSI standards, as they were simply too vulnerable to abuse and enabled mass surveillance.27 Yet in spite of these problems, South Africa adopted CALEA and ETSI standards in 2005, including some of the very standards about which the European Parliament expressed concern.

      Before we proceed with this discussion, it is necessary to add a terminological note on the differences between monitoring, surveillance, interception and equipment interference, as these terms are difficult to distinguish from one another, and at times some are used interchangeably. Monitoring involves the intermittent observation of communications over a period of time without specific pre-defined objectives. Surveillance, on the other hand, involves much closer continuous and systematic observation for analysis with specific objectives in mind, and may involve the collection and retention of communications for these purposes. Needless to say, I am more concerned with the surveillance of communications, rather than its monitoring, as surveillance carries with it greater potential for harm if unregulated than monitoring. In order for surveillance to take place, the communications need to be intercepted, or diverted from the intended recipient and captured, collected or acquired by a third party. A human being does not have to divert, collect or analyse the communications for the action to constitute surveillance: a machine can do so, too.28 However, not everyone agrees that machine surveillance constitutes surveillance at all; intelligence agencies have argued that machines cannot violate privacy, only humans can.29 This disagreement is not purely semantic: it goes to the heart of whether mass surveillance can be considered a privacy violation at all, and consequently whether societies should tolerate such conduct by their security services. I take the position that as the basis for machine interception, collection or analysis is determined by humans, an act of surveillance occurs even if machine analysis is involved, and privacy stands to be violated in the process. Surveillance can occur through the monitoring of communications traffic, such as internet traffic, the interception of mobile phone communication content and data about those communications, the interception of fixed-line communication content and data about those communications, and the planting of intrusion equipment on communications devices, as well as through the use of data-driven surveillance tools like CCTV.

      On the whole, though, targeted surveillance through lawful interception has been less controversial than mass surveillance, which is often referred to as ‘suspicionless surveillance’. The latter involves the tracking of individuals or organisations where there is no suspicion of wrongdoing, but where information about their communications may be stored just in case the law enforcement or intelligence agencies need it to detect suspicious activities in future. While lawful interception generally requires human intervention in order to intercept the communications of specific individuals, and communications service providers have to ‘switch’ the communications to a monitoring centre, mass surveillance is generally automated, and may be conducted through network probes that transmit communications directly to a monitoring centre. Communications service providers may not be involved in this form of surveillance, as the data can be copied off the backbone of the communications infrastructure. Once it is copied, then an agency can conduct searches for specific terms, names or numbers in the intercepted communications to narrow them down to more manageable levels. They may also choose to look for associations between various individuals in order to map contacts. The Snowden documents revealed how the NSA is allowed to travel three ‘hops’ from the communications of a person of interest: that is, they can examine the people who spoke to that person and the people who spoke to those people. As a result of the ‘three hops’ policy, the communications of large numbers of people, many of whom are likely to be innocent of any crime, can be examined.30 However, surveillance affects different social groups differently, and can be used for the purposes of discriminatory social sorting: selectors can be developed on the basis of populations (Afghanis, for instance), and the tendency to profile what the agencies consider to be problem populations is particularly pronounced with mass surveillance.31

      Surveillance provides the state with a politically low-cost form of social control, as abuses are very difficult to detect, and it can use such surveillance, or the threat of surveillance, to create fear that organised violence will be used against perceived opponents. To that extent, and when used inappropriately, surveillance could be considered a form of violence. At the same time, the fear of being watched may force people to self-police their own behaviour, as Foucault argued.32 Such a society is not one that we should want to live in, or to allow our children to inherit, as it will be premised on fear and insecurity.

      Perhaps even more controversial than mass surveillance, which involves passive monitoring of networks, are more active forms of communications interception using equipment interference, such as hacking. Increasingly, law enforcement and intelligence agencies are arguing that encryption is making it more and more difficult to conduct communications surveillance, and this is pushing them to resort to more extreme measures such as infiltrating a communications device like a computer remotely, using malware that delivers surveillance software through an email attachment, taking control of the device and opening any document or application as though it was the device owner. Hacking can even alter or delete a person’s communications, which not only renders the communications and the device pretty useless for evidentiary purposes, but presents grave threats to the security of communications networks as a whole.33

      In spite of the widespread public outrage about the expansiveness of the programmes exposed by Snowden, and in spite of ongoing controversies about the effectiveness of mass surveillance relative to more traditional intelligence efforts, the UK responded by not only defending its existing bulk powers in terms of the Regulation of Investigatory Powers Act (RIPA) and the Data Retention and Investigatory Powers Act (DRIPA), but also seeking new powers through a controversial new Investigatory Powers Act, which was passed in the dying days of 2016. Bulk powers target people outside the country, with less privacy-invasive surveillance ostensibly being reserved for UK nationals. As a result, the Act subjects non-nationals to weaker privacy protections, and thus discriminates against them, thereby flying in the face of attempts to universalise human rights. The most controversial elements of the Act are the executive’s bulk powers to intercept, store and even hack communications on a massive scale. The debate about the Act did put a spotlight on the UK government’s use of hacking. Up to that point, the UK government had never admitted its use of bulk hacking of the computer equipment of non-nationals, until several NGOs brought a case before the Investigatory Powers Tribunal (IPT), which confirmed GCHQ’s use of this surveillance practice.34 This form of surveillance is possibly the most intrusive and dubious of all, as it allows the intelligence agencies, on a mass scale, to access address books, track every keystroke, email and internet search on communications devices, and even turn on a computer’s camera and microphone, using it as a surveillance device against its owner.

      WHY SHOULD THE GLOBAL SOUTH BE CONCERNED?

      But should countries in the global South, like South Africa, even be concerned? The southern African region has largely escaped the terrorism problem plaguing countries like France, the UK and the US, and African countries further north, like Nigeria and Kenya. No southern African country has its own version of al-Shabaab or Boko Haram, responsible for terrible atrocities in East Africa and Nigeria respectively. South Africa faces no significant threats

Скачать книгу