Evil US web giants shield terrorists? Evil spies in net freedom crush plot?
Calm Down and Carry On
OK then, let's try spookery
MI5 has the capacity to employ what we take to be the more traditional black arts of spycraft in order to get more information about an individual's activities:
Clear? This splendidly redacted section would seem to be telling us that they could monitor his Internet connection and/or bug his premises. But if Adebowale was using a connection they didn't know about and/or weren't tapping, that wouldn't help. And they don't know specifically how he made the post that communicated with FOXTROT, an unnamed extremist. And if MI5 ran into encryption, the report adds, its ability to read the communication would have depended on the availability of analytical resources and other priorities at the time.
GCHQ, then? GCHQ's capabilities are somewhat more international, as is coyly revealed here:
The "technical operations" used to "access communications sent from an SoI's computer or device" that is used "only when targeting the communications of the highest priority SoIs" must be corkers. GCHQ also opens up on how much of the world's Internet traffic it can intercept:
Or not. But even without seeing the percentages we can deduce that GCHQ can only access a fraction of traffic, and that it can only process a fraction of that. And even if they'd caught this particular piece of traffic they would not have known they'd caught it, and would not have processed it.
Which takes us back to the web companies, and to the way they deal with suspected terrorist content. Says the ISC:
Whilst there may be practical difficulties involved, the companies should accept they have a responsibility to notify the relevant authorities when an automatic trigger indicating terrorism is activated and allow the authorities, whether US or UK, to take the next step. We further note that several of the companies attributed the lack of monitoring to the need to protect their users' privacy. However, where there is a possibility that a terrorist atrocity is being planned, that argument should not be allowed to prevail.
The first part of that seems a reasonable basis for discussions between the CSPs and HMG, because - as we said at the outset - the companies have plenty of motivation to tackle this. The ISC is surely being delusional if it thinks that every/ automatic terrorism trigger should be passed on to the authorities, but something that works better and doesn't overload the CSP or the security services could possibly be worked out.
Passing tips directly to the UK services will however remain tricky, and as Ross Anderson argues here, this is unlikely to change any time soon.
The ISC itself accepts that changes to US legislation are "unlikely in the short term, particularly in the climate created by the NSA leaks." It does believe that there is "merit" in attempting to extend the MLAT process to intelligence investigations but the Home Office demurs, saying treaty changes would need senate ratification, possibly primary legislation, and the process still wouldn't be fast enough. In addition "the intelligence case underpinning the warrant application [would have] to be considered by US authorities", and "the Secretary of State's decision (i.e. the warrant) would be exposed to scrutiny by a US court." Which the Home Office would not like.
The ISC comes up with one other possibility that may be worth pursuing:
We note that the US CSPs have an agreed process for tackling child sexual abuse images: this should be examined to see whether a similar model could be adopted for terrorism cases. In the case of child abuse, there is a mandatory obligation under US law to report such images to the US National Center for Missing and Exploited Children (NCMEC). NCMEC then "makes that information available to non-US law enforcement by providing access to country-specific information in NCMEC's database via a virtual private network".
Otherwise, it's back to talking, and hoping that the US companies aren't sufficiently pissed off by lurid headlines and shouting politicians to abandon cooperation. On the upside the headlines and the speeches in no way reflect what the ISC report actually says, and these companies are big enough and sophisticated enough to know they do need to keep government onside.
So they'll talk, so long as some people shut up really soon now. Whatever emerges certainly won't be the magic bullet of information-sharing that would allow the UK to serve RIPA warrants on US companies, and the FBI to do it the other way around - but then if that were possible, we probably wouldn't like it either, right? ®
*We made that bit up.