Evil US web giants shield terrorists? Evil spies in net freedom crush plot?

Calm Down and Carry On

Analysis Evil US Internet companies are shielding terrorists plotting our destruction! Woo! Evil Tory bastards are using the Woolwich Report as an excuse for a further crackdown on the Internet, muslims and ultra-left Guardian columnists.* Woo!

Or, perhaps, neither of the above? All the shouting is based on the parliamentary Intelligence and Security Committee's report, looking into the matter of whether the British intelligence agencies could have prevented the murder of Fusilier Rigby by muslim extremists in Woolwish last year.

The Woolwich report (available here) certainly uses language likely to displease US Internet companies: but quite a bit of what it says is true, and the entire report presents a much more nuanced picture than the grandstanding of some politicians and the ranting of some newspapers might suggest.

Did anyone actually read this?

Here's part of the statement issued by the Committee authors on the report's publication:

We have examined whether the [British intelligence] Agencies could have discovered this intelligence before the attack, had they had cause to do so: it is highly unlikely. What is clear is that the one party which could have made a difference was the company on whose system the exchange took place. However, this company does not regard themselves as under any obligation to ensure that they identify such threats, or to report them to the authorities. We find this unacceptable: however unintentionally, they are providing a safe haven for terrorists.

Our Report considers the wider relationship between law enforcement authorities and Communications Service Providers. None of the major US companies we approached proactively monitor and review suspicious content on their systems, largely relying on users to notify them of offensive or suspicious content. We also found that none of them regard themselves as compelled to comply with UK warrants obtained under the Regulation of Investigatory Powers Act 2000.

Therefore, even if MI5 had sought information - under a warrant - before the attack, the company might not have responded. They appear to accept no responsibility for the services they provide. This is of very serious concern: the capability of the Agencies to access the communications of their targets is essential to their ability to detect and prevent terrorist threats in the UK.

That might have been more tactfully put, but it is not entirely nonsense. The company in question is not named in the report, but is generally understood to be Facebook. For brevity we'll refer to it as that. In December 2012 one of the killers, Michael Adebowale, was involved in an online exchange where he expressed "in the most graphic terms" his intention to murder a soldier. Had the security services been aware of this at the time his status as a low level SoI (Subject of Interest) would have been escalated dramatically and there would have been "a significant possibility that MI5 would have been able to prevent the attack."

Which seems perfectly reasonable. It is however unreasonable to conclude that US web companies, or CSPs (Communications Service Providers, as the report styles them) are totally OK about terrorists crawling all over their systems plotting jihad. Quite the reverse - they undoubtedly do host various and varied stews of villainy, but that's not entirely good for business (or relations with governments). Terrorist content is one of the reasons they kill accounts (at least four of Adebowale's accounts were disabled by the company for terrorist-related reasons) and hey, if you can randomly zap pictures of women breastfeeding then you can also zap stuff that at least sounds like it might be a tad more dangerous.

But it appears you can't always zap the right ones all of the time. The particular exchange in question seems not to have been reported or to have tripped any automated triggers, and Facebook only found it after the event. Adebowale had a total of 11 accounts, seven of them disabled by Facebook and one by himself, but it's not clear if Facebook knew about his multiple accounts prior to the attack.

Not spotting the "kill a soldier" exchange was undoubtedly a fail on Facebook's part, but it was a shit-happens kind of fail, the sort that Facebook is undoubtedly going to be looking at to see if its systems could be improved. As we say, this sort of stuff is bad for business, and it's absolutely in the interests of the US CSPs to get some kind of lid on it.

Does that mean they should "proactively monitor and review suspicious content on their systems"?

Well, the proactively bit is a big ask and I'm not sure that's what the ISC is really asking. Accurately and effectively crunching vast numbers of posts before they go live simply is not possible. Using automated systems to flag suspicious posts is kind of possible, but setting this up so you don't drown in false positives is tricky, and what you then do with the information after you catch a post like Adebowale's is not as straightforward as your honest Daily Mail leader writer might think.


Biting the hand that feeds IT © 1998–2017