William Binney giving evidence. Image: Screenshot from Parliament TV
What if mass surveillance was not only ineffective, but a potential danger to the safety of citizens?
That’s the argument made by one former intelligence official. As the UK's proposed new surveillance law looms, several evidence hearings with experts, government officials and activists have taken place in front of the Joint Select Committee that is vetting the draft Investigatory Powers Bill. In one session on Wednesday, retired NSA technical director turned whistleblower William Binney argued that mass surveillance, and particularly forms of it executed by the US and British governments, is fundamentally flawed, and may even result in the loss of life.
When information is collected and stored en masse, “The end result is so much bulk data, that their analysts can't figure out what they have. That's the real problem,” he said, drawing on his own experience while working at the NSA.
Binney said that this swarm of data can lead to analysts becoming far less efficient at detecting threats and thwarting attacks. “The end result is de-functionality of the analyst, and no prediction of intention [or] capabilities, no stopping of any attacks, people die, then when they die you find out who did it,” he continued.
"It's not helpful to make the haystack orders of magnitude bigger, because it creates orders of magnitude more difficulty for finding the needle"
Supporters of the law feel that the powers cemented under the draft Investigatory Powers Bill are required for the police and intelligence services to better do their job.
“The task of law enforcement and the security and intelligence agencies has become vastly more demanding in this digital age. It is right, therefore, that those who are charged with protecting us should have the powers they need to do so,” Home Secretary Theresa May said in her speech announcing the bill last November.
Binney made similar points in his written evidence to the committee, submitted before Wednesday's hearing, writing that “bulk data overcollection from Internet and telephony networks undermines security and has consistently resulted in loss of life in my country and elsewhere, from the 9/11 attacks to date.”
In short, Binney’s position is that surveillance should be conducted in a more targeted manner; that irrelevant data should be automatically filtered out, so that analysts are left with a clearer picture.
Binney also made reference to the recent terrorist attacks in Paris. After those events, investigators tracked down at least some of the people responsible—but with a different approach to surveillance, Binney suggested those attacks could have been averted.
“They could have gotten all that data right up front doing a targeted approach, and they could have had the opportunity to stop them before the attack,” he said, and added that it was the same problem for 9/11 as well as 7/7—that analysts were simply swimming in too much data, making identifying threats all that more difficult.
If passed into law, the UK’s draft Investigatory Powers Bill will force internet service providers (ISPs) to store the browsing history of all customers for 12 months. More specifically, it will govern the collection of so-called “internet connection records,” which includes not just a list of websites visited, but also connections made to communication tools such as WhatsApp. The bill is so broad that it may also encompass events such as a computer connecting to a remote server to receive an update.
It will also formally legalise GCHQ's current bulk surveillance powers which have been on shaky legal ground.
In his evidence, Binney talked more about this latter aspect, and spoke generally about bulk collection and other surveillance programs run by the NSA and GCHQ, but the committee seemed keen to focus specifically on the new powers to be forced upon ISPs.
At one point, when Binney spoke about NSA programme PRISM, his interlocutor said, “That's not what's in this bill, that's not what we're talking about today.”
Regardless, Binney raised some compelling points about the broken nature of the collect-it-all attitude to surveillance.
“It's not helpful to make the haystack orders of magnitude bigger, because it creates orders of magnitude more of difficulty for finding the needle,” he said.