Matt Gemmell


10 min read

Yesterday, The Guardian in partnership with The New York Times and ProPublica published a story about the capabilities and ongoing endeavours of the British and American signals intelligence organisations: GCHQ and the NSA respectively. The information is based on documents obtained by The Guardian which were revealed by Edward Snowden.

None of the news is surprising. As any reasonable person would expect, the intelligence agencies have mounted decades-long (and seemingly successful) attempts to compromise standard encryption protocols (including SSL as used ubiquitously on the internet for commerce, banking and authentication), introduce weaknesses and backdoors into industry encryption algorithms, and to access unencrypted information directly on the servers of domestic and foreign commercial, governmental and military entities.

So far, so predictable. Indeed, it would be very surprising if any of these things weren’t true. Welcome to the world you’ve already been living in. A number of things which any sane person had already assumed to be true are now essentially known to be the case:

  • All of your electronic communications, including internet traffic, cellular phone calls, land-line calls, and SMS texts are available to the US and UK governments for interception, decryption when necessary, and inspection. This includes online banking, purchasing, travel, chat, email, and so forth.

  • There are no functional jurisdictional barriers available. As has been known for many years, the US sidesteps constitutional protections by having British GCHQ intercept, analyse and report on American citizens’ data, and vice versa. The twin practical requirements of secrecy and expediency essentially work together to remove effective preventative oversight.

  • As is only sensible, representatives (covert, in most cases) of the signals intelligence agencies of these governments are in place at major telecommunications hubs in the public and private sectors, to ensure continuing access to the data flowing through those facilities.

  • Commercial entities are compelled to facilitate this surveillance, via court orders which cannot legally be disclosed for (nominal) reasons of national security. It would be incredibly naive to think that there isn’t a direct means for the US and/or UK governments to access whatever data is held by Google, Apple, Microsoft, Yahoo, and so forth. This will most certainly include Gmail, Hotmail, iCloud and iMessage, Skype, FaceTime, Google Drive, and all other relevant technologies. The companies would not be permitted to inform you if this was the case, and it would be grossly irresponsible of the SIGINT agencies to not arrange such access if it were possible to do so.

If you didn’t already assume that all this was happening, I really have to wonder why not. It’s inevitable, and entirely in keeping with the goals and modus operandi of state-operated secret signals intelligence-gathering institutions. That’s what they do. That’s what they’ve always done, and what they’re designed to do.

We should also note that encryption probably isn’t to blame. The mathematics is sound; it’s just rendered toothless by the inexorable forces of human stupidity on one hand, and determination on the other. An algorithm can only be perfect until it’s implemented by a human, and tested by another human (or by a testing program written by a human), then run on machines designed by humans. Information and facilities are safeguarded by humans, some of whom might not be who they appear to be, and they’re all subject to some laws, somewhere. There’s the flaw; as always, it’s us. It’s no surprise at all that flaws exist, both deliberate and accidental. Those flaws are opportunities for exploitation.

We’re also talking about the internet, where all the boundaries blur. The differences between citizens, residents, immigrants and even foreign nationals are illusory. There’s only the world; that’s the nature of electronic communications. The very notions of jurisdiction and even place are fuzzy when you’re online. Our laws haven’t even remotely caught up.

Do we want them to, and can they? Those are difficult questions. The internet is a huge, global communications network which anyone can inject information into, but whose major physical and conceptual hubs are controlled by (or available to) a relatively small number of governments and large commercial organisations. It’s a surveillance dream. It’s readily exploitable, so you’d better believe that it’s being exploited.

“But what about my right to privacy?” I hear you cry. You don’t have one. Before you object to that, let me clarify. I don’t mean that you don’t have one; you do, morally and legally. I mean that you don’t have one. Privacy isn’t a single thing. There are categories and tiers. It’s an uncomfortable but necessary distinction. You can’t have global electronic communications, and nation states, and international diplomacy (and SIGINT) without also having a more nuanced concept of what privacy is.

Privacy is about reasonable expectations in context. There are privacies that we want, privacies that we don’t want, and privacies that fall into both categories: ideally we’d have them, but pragmatically they’re impossible because of the vulnerabilities and consequent compromises that would have to be made. A contemporary concept of privacy must unfortunately consider who you wish to keep things from.

Just off the top of my head, I can think of a few categories of privacy.

  • Personal privacy. Your ability to keep your activities and information private from your fellow citizens, or a casually-interested third party. I’d say that we already have this, and there are legal safeguards to ensure that we continue to do so.

  • Online personal privacy. Most of us choose to sacrifice some portion of this for the sake of ego and/or socialising, but we have at least a tolerable status quo. Encryption, password-management etc are notoriously poorly-implemented and breaches of company servers occur on a monthly basis, but by and large we’re able to conduct our online lives in some measure of order.

  • Privacy from companies and public bodies outside the domains of law enforcement and national security. This is even more strictly regulated than personal privacy, complete with fines and even imprisonment as the penalty for violations. I think we’re more or less OK here too. We live in an age of greater transparency in this area than we’ve ever had.

  • Privacy from the state (or cooperating foreign powers), within the grounds of intelligence and law enforcement. This type of privacy doesn’t exist. It has always been a comforting illusion, and never a reality. The state reserves the right to inspect your personal affairs in minute detail, for the nebulous and shifting purpose of the greater good of itself and its allies.

  • Privacy from hostile foreign powers, i.e. protection from espionage. Rationally, we must assume that this also doesn’t exist, since there’s no conceivable chain of accountability. Most of us aren’t worried about this one, though, even if we should be.

This current flap is about privacy from the state. Notionally, we’re protected by legislation, due process, reasonable cause, and so forth. More realistically, we must assume that the state knows (or at least can know, should it choose to) everything about our online lives, which in turn reveals probably almost everything about our offline lives.

Is it reasonable to want the state to stay out of your life, assuming you’re not breaking the law? Yes, of course – that’s a normal desire. Is it reasonable to expect to have the internet, and for the state not to perform online surveillance on a massive scale? No. That’s an unrealistic expectation.

Ideally, the scope of obtainable information would be limited by law to apply to current, specific intelligence-gathering goals, and would require reasonable evidence to be duly reviewed by a trusted body (hopefully elected) before approval was given. Only then would data access be granted. And everything would be overseen, with a route for judicial review and penalties for infractions. That’d be great. That’s what we’re lead to believe that the law does right now.

in practise, there are too many ways around any such law, and there are also legitimate cases where due process would impose a dangerous burden or delay. I’m not saying that’s a justification for running roughshod over personal liberty (I think most of us would be willing to tolerate those dangers for the sake of the greater principle of freedom from universal surveillance), but again these activities take place covertly. The secret world is very different from public government agencies. Many of our self-checking and self-limiting mechanisms would sabotage those agencies’ core capabilities.

Maybe that’s true and maybe it’s not, but it’s certainly what those agencies would argue. It’s a tough argument, because it’s easy to come up with examples where it’s true. Modern history is littered with covert intelligence organisations that have been officially disbanded only to continue in another form. Pragmatically, there can be no slackening of intelligence-gathering.

There’s no way back from here, not just in the sense of the appalling consequences of having communications systems that our own national security apparatus are incapable of eavesdropping on, but also in the mundane world of politics. It just isn’t going to happen. They might decide it’s wise to tell you it has, but it isn’t going to be any more true this time than it ever was.

We’ve never been more observed than we are now, and we’ll probably never be less so. The politicians and power-brokers of 2025 are currently teenagers who are posting incriminating or at least politically embarrassing material on the internet on a daily basis. I don’t hold out much hope for a legislative clear-out any time soon. That’s how state security institutions work. A sensible policy of security-vetting elected officials quickly becomes a stockpile of material that can be used to sway or control policy. It’s not paranoia; it’s just a routine and inevitable fact that’s always been true. There’s not going to be a big change. Widespread electronic surveillance is here to stay.

So what do we do about it? Probably not a lot, if we don’t want to sacrifice effective national security, international relations, and global communications. Truly unbreakable encryption might make you feel better, and protect against the worst abuses of totalitarian and repressive regimes, but it’d be a disaster for Western security. I’m sure we can all see which way the wind is blowing on this issue.

If you have something you want to keep absolutely secret, the rules haven’t changed. Don’t tell anyone. Don’t write it down. Don’t ever put it anywhere near an electronic device. Keep it tucked away in your own head. If it’s too big for that, accept that you’re leaking security and commit it to a digital form, but offline. Even then you can’t be sure. If you truly have something you want to keep completely secret, you simply have to never allow it to exist outside of your own mind.

I’m ideologically conflicted by the knowledge that we exist, intractably, in a society of ubiquitous surveillance. I’m uncomfortable with it, but I can’t find it in myself to roundly condemn that state of affairs. I certainly can’t find a plausible, realistic alternative – so I must simply accept it for the time being, with no expectation of it changing within my lifetime.

This is the price of everything we have. We’ve built this connected global community and we’ve reaped the richest rewards from this planet via ingenuity, threats, cooperation, war, lying, diplomacy, buying and stealing. Even the language of the internet is our spoken language. It can’t be taken back.

If we want to keep all of this, then someone must always be watching. I accept that. The naivety of denying it can be readily brushed aside.

At the same time, I’m not blind to the double-edged sword. Quis custodiet ipsos custodes?1

I don’t know. And that troubles me.

  1. Who watches the watchmen?