Lee Rigby report expected Facebook to break US law

Yesterday saw the publication of the Intelligence and Security Committee report into the events leading up to the murder of Lee Rigby. On reading it, one gets a sense of naivety from the members of the committee on how the Internet works, particularly when it comes to international jurisdictions. (Communications data is p139 onwards)

Notably, the committee seemed surprised that wholly US companies did not consider themselves to be subject to UK laws. To emphasise that, here’s an extract.

242. The UK Government has always asserted that the Regulation of Investigatory Powers Act (RIPA) has implicit extra-territorial jurisdiction. The problem is that, whereas UK Communications Service Providers (CSPs – Facebook, Twitter and so on) accept that they are legally obliged to provide access to the communications of individuals, most CSPs based outside the UK do not accept that the UK legislation applies to them.

Many in the UK would be shocked if random foreign laws suddenly applied to them, so it’s a little concerning that the Home Office think the reverse might be true.

It continues:

The Home Office has explained the argument the US CSPs have made: “RIPA lacks explicit extraterritorial jurisdiction and cannot be argued to place any obligations onto CSPs based outside of the UK.

The Home Office explained the particular issue US CSPs have raised, that: “complying with RIPA would leave US companies in breach of US legislation (including the Wiretap Act in relation to lawful interception)

So the problem is not just that the Home Office believes it can pass UK laws compelling people in foreign countries to hand over data, but that it thinks UK law can compel people to break their own local laws. I usually only see that level of “we’re a world power” arrogance in Americans from particularly red states these days.

Even if we restrict the “our data laws should apply in your country” principle to US-UK relations and ignore countries like China or Russia, it quickly becomes clear that this would cause all sort of problems in areas where we do not agree on policy.

The section of the report that has been most covered is the part that blames an unnamed site, since revealed to be Facebook, for not alerting the security services to an exchange between one of the attackers and an associate. The whole analysis suggests a lack of knowledge of how the internet and social media works:

  1. Firstly, there is an assumption without discussion that Facebook has a “moral duty” to search all member communications for suspicious content. This assumption conveniently ignores:
    • That it’s possibly illegal under US Wiretap laws mentioned earlier
    • The huge problems associated with appointing a US company guardian of international morals (I am hoping that the ISC does not expect Facebook to examine content on the basis of the laws of the country the end-users are in, unless it thinks social media sites should be reporting LGBT people to the authorities in countries where that is illegal)
    • The rather robust freedom of speech the US has
  2. There is also an assumption that Facebook could have detected the exchange via automation. This is based on the closure of several other accounts for various reasons, some of them unconnected with terrorism even though the account the exchange took place in was not closed. It is not clear if the “automatically” closed accounts were due to a large volume of uncontested end-user complaints, because that sort of quasi-automation of complaints triggering account closures on social media will not help with private chat between individuals. What the US regards as terrorists another state might regard as freedom fighters, which also puts Facebook in a sticky situation deciding who to report.
  3. That determining which security service to tell is not easy. If a US citizen is on holiday in the UK and messages suspect content, do you tell the US or UK authorities? The Home Office expressed reluctance in it’s MLAT discussion to go via US authorities, but is it expecting Facebook to report everyone to UK police when it doesn’t have any way of knowing their nationality? The US government may not be too happy about that, given it would mean allowing the UK to spy on US citizens here on holiday or business.
  4. That blanket trawls for data can produce quite unjust outcomes, such as the Robin Hood airport case.
  5. That the information needs to get to the UK somehow when as noted earlier, this may be illegal under US Wiretap law.
  6. And that the UK security services would need to find time to look at a potentially huge amount of data, when the report already highlights the amount of data they have to sift through is more than they can handle

Fortunately, the committee did not entirely side with the Home Office.

The report includes a discussion on existing routes that UK security services can use to obtain data using US laws and the committee quizzed the Home Office on why the Mutual Legal Assistance Treaty (MLAT) was insufficient for data collection. The Home Office response included the following:

…the MLAT process would require the release of sensitive data to the US authorities, since “the intelligence case underpinning the warrant application [would have] to be considered by US authorities”. In addition, the US legal process would mean that the Secretary of State’s decision (i.e. the warrant) would be exposed to scrutiny by a US court. This would be at odds with RIPA which prohibits the disclosure of the existence of an interception warrant

The ISC did not have much time for the Home Office’s “we can’t be bothered with any of that due process stuff unless it’s not our process” response and suggested instead that MLAT was probably exactly the route we should be using.

Due to the tone of the report, I took some time to dig into the backgrounds of those MPs and Lords who sit on the committee. Shockingly, it is terribly unrepresentative even by parliamentary standards – five of the nine members are lawyers, one was a civil servant for his entire career and one appears to have never had a non-political job. Of the remaining two, one was a teacher and the other was very briefly an engineer back in the late 1960s/early 1970s before becoming a lecturer. The average age is 65 and none have any IT or Intelligence background that I can see.

This does not seem like an appropriate group of people to be scrutinising intelligence work in an increasingly digital world.

And as a parting note, I shall point out that there is nothing anywhere in the report that suggests increasing UK communication interception laws would have prevented the murder of Lee Rigby.