Sunday September 4, 2016 5:33 pm Leave a comment
I doubt you’ll remember reading about “Security Theatre” in my 2005 ID Card paper so I’ll repeat the passage here: I was commenting on the Home Office’s naïve concept of their ID Card as being somehow self-verifying.
It is a classic example of what Bruce Schneier calls “Security Theatre” where we make users go through the motions to make it look like we’re “doing security” but the procedures are actually meaningless “snake oil”
It’s taken me a while but I now realise that the concept is a useful template for another political/commercial deception I’ve been trying to tackle for some years. Most recently I’ve been trying to pique the interest of the only MP I know well enough to trust. Unfortunately he’s rather busy trying to manage at least two portfolios in Corbyn’s shadow cabinet. Despite which I see that he’s taken up the struggle against the Parliamentary Expenses Watchdog – IPSA – and their overweening bureaucracy.
I learned about his (so far) one man campaign from this standard mud-slinging DailyWail story I’m sure Paul knows he’s got absolutely zero chance of succeeding with his proposal for fixed allowances. But the real issue he’s trying to address is an example of how a system designed to avoid real accountability has no idea how to create it when they’re forced to.
The normal mode of (All) Governments is to avoid disclosing any information which might be used against them while trying to appear as open and transparent as their citizens demand. The result is what I have decided, henceforward, to call “Accountability Theatre”. It can be defined thus:
1 Setting up mechanisms, in order to pacify public demands for accountability, which are supposed to audit sundry claims and reassure the public that proper consideration and due process have been applied. But…
2 The mechanisms lack any provision for realistic forensically verifiable means of validating such claims. So…
3 The public are required to Trust the declarations of the auditor and the auditor is required to trust the limited evidence s/he is permitted access to.
4 Specifically, there is no mechanism for ensuring that the evidence accessed by the auditor is both complete and unedited.
5 In the most egregious examples, the auditor is also a member of or closely allied with the organisation they are supposed to audit.
As regular readers will know, the claims I’m most concerned about are those made by the State, such as “we only tapped this suspect’s mobile phone, to obtain call and location history because we had reliable intelligence that he was involved in a potential terrorist plot”
The Accountability Theatre in that situation consists of the fact that, at no point, can any potential auditor either see the raw data without the consent and collaboration of its custodian, nor, even if permitted to see it, to verify that it is complete and unedited. The entire process, in other words, is based purely on faith that the State can do no wrong, a ship which sailed at least a century ago.
Returning, briefly, to Paul’s complaint:
What MPs are stuck with, regarding Parliamentary Expenses is a direct result of recognising that they cannot get away with the normal Accountability charade in respect of their expense claims. i.e. following the expenses scandal they are now forced to jump through a ludicrous set of hoops in order to retrieve sometimes trivial sums of money which are often not worth the effort. They are, in the name of “Transparency”, effectively forced to stand on the “naughty step” every time they hold out their hand to get back some of the money they spend while doing their jobs. Hence, for example, we know that both Jeremy Hunt and Amber Rudd each submitted claims of just 27 pence for two short car journeys. This level of disclosure is considered necessary so that the public can be convinced that proper scrutiny of expenses claims is taking place.
And, frankly, it looks like they do a pretty good job. In the sense that no frivolous claims are ever likely to make it through a pretty rigorous checking system. The “Quick Guide” to what they’re allowed to claim is a mere 11 pages. The detailed version weighs in at 75 pages. IPSA employs about 70 civil servants, full-time, and are run by an “independent” board which includes at least one judge, at least one ex MP and an at least one real auditor. All this to manage the Pay and Expense claims of just 650 MPs, at an annual cost of around £5 million. In a typical commercial organisation of similar size, you’d expect 2 or 3 relatively junior staff to deal with that workload. They’d report to the Company Secretary or Financial Director. Total cost, probably less than £150k.
I hasten to add, in case it’s not obvious, that what IPSA are doing is most definitely NOT Accountability Theatre. It is Political Theatre, designed to demonstrate just how thoroughly we’re now watching our elected representatives. It is also a useful distraction from the unpublished detail of much more serious matters we ought to be demanding.
Contrast the obvious overkill effort they put into scrutinising what MPs claim on the Expenses, with the trivial and meaningless scrutiny put into examining the thousands of security requests routinely dealt with by the Home Office. At her Mansion House speech, June 2014 Theresa May proudly proclaimed that her role as Home Secretary included:
“If the Security Service wants to place a device in the property of a terrorist suspect, or the National Crime Agency wants to listen to the telephone calls of a drugs trafficker, they need my agreement first. On the basis of a detailed warrant application and advice from officials in my department I must be satisfied that the benefits justify the means and that the proposed action is necessary and proportionate.
The warrant application gives me the intelligence background, the means by which the surveillance will take place, and the degree of intrusion upon the citizen. Neither the Security Service nor other intelligence agencies, nor the police, nor other law enforcement agencies, can undertake sensitive surveillance without providing these details and gaining my approval. Ministerial oversight – which I share with the Foreign Secretary and the Secretary of State for Northern Ireland – is a crucial safeguard to make sure that the most intrusive powers are used only when they are necessary and proportionate.”
Now then, how long do you think it would – or should – take to make a thorough assessment of the validity of just one such warrant application? Checking the content of the intelligence and, if necessary, its provenance; considering whether that content, in context, justified spying on a citizen; considering the means and degree of espionage being recommended; investigating whether the individual has previously been targeted and what, if any parallels there are between the circumstances of that targeting and the one being proposed; verifying that the appropriate risk assessments have been made and properly recorded; verifying and justifying the proposed cost etc. etc.
It is impossible to answer such questions without a detailed academic study, which we will, of course, not be permitted to make, but an intelligent guess has to be between one and five days of pretty intensive study. Yet, as MP David Davis pointed out in 2015, Theresa May was required, during the previous year, to approve up to 10 warrants a day – and that was just for phone interceptions.
That speech was supposed to illustrate how seriously she takes her responsibility for “political oversight”. I have no doubt she was sincere and believed that what she was doing actually constituted meaningful oversight. It was obviously, in reality, just a box ticking exercise and classic “Accountability Theatre”. I doubt she has the faintest idea how to seriously examine the validity of those warrant applications. She’s been trained and advised to rely on her Civil Servants, who will do all the real work on her behalf. All she needs to do is feed the monkey.
Their defence against such a charge would likely be along the lines:
well of course the Home Secretary doesn’t research the applications herself, that’s what the “advice from officials in my department” is supposed to mean.
But that’s no more than one branch of the establishment giving the nod to another branch, with which it has closely entangled, even incestuous relations. Why on earth are we supposed to trust that arrangement?
Their ultimate answer to that is the Parliamentary Intelligence and Security Committee, which, ostensibly has the power to question everybody and see everything. Yet the Snowden revelations came as a surprise to this ultimate oversight body (search the page for “Snowden”)
And their subsequent investigation of the revelations regarding GCHQ “rather promptly” resulted in an absolutely clean bill of health. So “promptly” that even a former Chairman of the same committee, Lord King, was moved to comment that:
“the decision by the Rifkind-led committee to swiftly endorse the work of GCHQ was “unfortunate” because the endorsement came while new disclosures from files leaked by the whistleblower Edward Snowden were still being published by the Guardian and other newspapers around the world.
“I think their response was pretty quick,” said King, a former Northern Ireland secretary. “It came at a time when revelations were still coming out. It is very important the ISC maintains public confidence as a scrutiny committee.”
Not only are the committee members obviously part of the establishment that they are supposed to police, but NONE have anything like the skills or expertise required to make a thorough examination of the work of GCHQ, especially “promptly”. They don’t even know the right kind of questions to ask.
The ISC is designed to be Accountability Theatre and, on this occasion, they panicked and fluffed their lines. Normally, they would have made a big show of visiting GCHQ, interrogating its mandarins in both public and private, and, after a few months of due consideration, announced their august whitewash. But the veil slipped for a few moments and those of us who were paying attention spotted the naked Emperor.
So now let’s turn to the serious shit.
The Government Case for Watching All of Us All The Time
The chief response of the Government, to being caught with its pants down over the unregulated Bulk Surveillance of its own citizens has been to frame new powers which retrospectively justify that outrageous invasion of privacy and to pretend it hasn’t already been going on, illegally, for years. If you’ve got the stomach for it, you can read their arguments here:
It may surprise you but I am not going to take issue with any of their arguments for Surveillance. Such objections are, in my view, the weakest argument made by the Privacy/Liberty lobby and the one most easily defeated by the State. Given the right circumstances, there is NOTHING which can be definitively ruled out as a legitimate counter-measure for a State to employ in defence of its citizens. I certainly include the occasional need to assassinate one or two citizens in order to protect other citizens. Perhaps the most recent unarguable example of the legitimacy of that counter-measure being the killing of the French lorry driver who deliberately ran down 86 of his fellow citizens in Nice on Bastille Day.
But given that such circumstances obviously have arisen from time to time and will, inevitably, arise again, it must follow that less dramatic circumstances will arise which will justify all manner of lesser measures like Surveillance and other intelligence gathering activities. Here, I include, for example, the highly controversial embedding of “deep cover” agents inside hostile organisations.
But if we’re prepared to delegate such powers to the State, then it ought to be obvious to any intelligent citizen that nothing and no one should be (digitally) watched more closely than those we delegate such powers to. Then we would be in a position, after the event at least, to determine whether their action was justified and proportionate. And THAT is where we’ve dropped the ball. Or, rather, that’s where the State has chosen to run off with the ball and not allow us even to see it.
I really don’t want to start giving examples of how often and how badly the State has made indefensible and often disastrous decisions in this field and how seldom anyone has ever been held truly accountable for them. This blog and my other writings contain hundreds of examples and if you’re reading this, you’ve probably already read a few of those and many other similar analyses dotted around the web.
I’ll just touch on one area; the embedded agents. We used them to penetrate the IRA. That was necessary and justifiable; even when our agents took part in some of the killings. Anything less would have blown their cover. We’ve almost certainly got or are trying very hard to get embedded agents inside ISIS and Al Qaeda and their more serious offshoots. Those agents too will have to participate 100% like the real thing. That means they’ll take part in recruiting other Jihadis and even occasionally have to kill innocent civilians just to maintain their cover. Some of those citizens might even be British.
But if and when something goes wrong with these operations, the agents are exposed, the shit hits the fan and everything goes titsup, who are we going to trust to tell us the whole truth about how and why it happened? The people who screwed up in the field or in the back office? The politicians who authorised it? Or should we trust the half-tamed “Independent Reviewer of Terrorism Legislation” who has just endorsed the Bulk collection of Private Data as having a “clear operational purpose” as they “play an important part in identifying, understanding and averting threats in Great Britain, Northern Ireland and further afield”?
He can’t, unfortunately, provide concrete examples but he does advocate “very considerable caution” without coming close to providing a meaningful mechanism for proving that such caution was exercised.
And if you study the government’s own case for such powers (see the link above), you’ll find 3 references to “Safeguards within the Bill” and in each case, those safeguards amount to an assurance that the powers can only be used for purposes specified (chiefly National Security related) and will be independently audited.
Real – Digitally Verifiable – Accountability
If ever a government gets serious about Accountability, here’s what it will need to do, not just for matters related to snooping on their own citizens but for ALL government decision-making processes; though the obvious starting place is “Watching the Watchers”.
The audit trail should contain digital copies of all evidence, relevant conversations, policy decisions and the operational recordings of implementation, pertaining to the events being audited. Each item should have been cryptographically fingerprinted (hashed) and the hashes lodged on a public accessible immutable database (blockchains or protected hash-chains) in real-time as the items were created.
Case folders or periodic snapshots of such data should be similarly hashed so that no item can be withdrawn after the event, without the gap in the data being obvious.
These techniques are not new. I’ve been promoting them for more than a decade myself but Bitcoin has done a much better job of waking people up to the significance of immutability.
Meanwhile, back in the real world, the government “Safeguards” contain no mention of real-time mandatory data storage on an immutable database, so there will be no way for the independent auditor to determine whether he is seeing the whole story and whether what he’s been allowed to see is as it was when originally stored. The proposed safeguards are just routine Accountability Theatre.
In the optimally Accountable world, whenever an issue is raised regarding the validity of behaviour by the State, the audit team will include appropriate experts in the technical, legal and financial fields they are about to investigate. Their proceedings will be overseen by a Jury, not a Judge. It might be a specially vetted Jury and it may often choose to sit in Camera in order to protect genuine National Security. But Democracy requires the power to reside not in State Appointees who may have a vested interest in hiding incompetence or malfeasance but in ad hoc representatives of the People who will, for the duration of the audit at least, have no other agenda.
The audit will have unfettered access to the data. With such a provably complete and unalterable (without detection) audit trail, the audit team and their Jury can now sift through the evidence and decide for themselves what questions need to be asked and whether the evidence fully answers them. If it doesn’t, they can establish culpability and publish the relevant facts, with due care to ensure sensitive secrets are not exposed. If all the questions are answered and the actions taken shown to be reasonable and proportionate in the circumstances, they can publish that finding and, unlike the situation today, we could safely believe them.
In such circumstances, for example, how do you suppose that process of true Accountability would have dealt with the disgusting overreach of the State in those other more famous embedding cases such as the 7 women who unwittingly had long-term relationships with undercover cops who were paid by the State to infiltrate legal political organisations like environmental groups, animal rights groups and Trade Unions? I suggest the mere knowledge that it would be impossible for the Police to hide such behaviour from the Audit would be enough to prevent that kind of abuse in the first place.
The Pitchford Inquiry is supposed to be investigating a whole raft of other similar abuses. But many have already commented that unless the relevant Police could be compelled to tell the truth, the whole truth and nothing but the truth, it will be a waste of time. Given that none of the relevant material was immutably recorded at the time, we will never know how much, if any, of “the truth” they are telling. So the entire inquiry is bound to be just like all the other major inquiries. The Accountability Theatre Players will throw just enough meat to the baying wolves to make them think there’s been a real kill and then everything will return to normal.
The State already has vast Surveillance capabilities and total freedom to use them without any meaningful independent oversight. The crimes committed in our name in this century alone have illustrated the desperate need to eliminate Accountability Theatre with the relevant technology and the laws required to mandate its use. Yet, instead of moving in that direction, the government is intent on ramping up the extent of surveillance to levels which make even the Police State of America’s USA PATRIOT Act look restrained.
If you’ve read this far can I suggest that if you wish to be part of the solution rather than part of the problem, you could make a useful start by demanding that your own MP explain how s/he is going to fight Accountability Theatre.