Writing in today's Financial Times, Robert Hannigan – who replaced Sir Iain Lobban as director of the UK surveillance agency earlier this month – said that US technology companies are “in denial” about the misuse of their services and – citing ISIS being “at ease with new media” – added that intelligence services such as GCHQ, MI5 and SIS cannot tackle these challenges at scale without greater support from the private sector.
Following revelations by NSA whistle-blower Edward Snowden about the security agencies' surveillance activities, both with and without cooperation from tech companies, organisations such as Facebook, Google, Yahoo hand Microsoft have denied granting access to their systems by intelligence services. But now GCHQ is seeking to generate public debate on the limits of privacy, describing the web as a terrorist's “command and control network of choice”.
“However much they may dislike it, they [US technology companies] have become the command and control networks of choice for terrorists and criminals, who find their services as transformational as the rest of us,” wrote Hannigan, whose comments come just a day after Facebook set up a link on Tor for users who wish to remain anonymous.
And despite the continuing unease over government surveillance, the new GCHQ head went onto say that most internet users “would be comfortable with a better and more sustained relationship between the [intelligence] agencies and the tech companies.”
Hannigan's comments have been met with surprise and shock in both the surveillance and sector communities, especially in an age where the NSA – the US spy agency – has taken measures to embrace reform and become more accountable.
Three UK security officials reportedly told the FT that the likes of Facebook and Google have curbed the ability for the government to tap valuable electronic data in the wake of the Snowden revelations, while other tech vendors are said to have been alarmed at the idea of creating “better arrangements” which could well circumvent a current process where data requests have to be granted via court order.
Meanwhile, other industry observers said that more collaboration between government and private sector would require more transparency and oversight, a sticking point for GCHQ which – like MI6 – remains famously private.
Rafael Laguna, CEO of German communications software developer Open-Xchange, issued the following statement to SCMagazineUK.com:
“Mr Hannigan is correct in one respect; internet users would be comfortable with a more ‘sustainable relationship' between intelligence agencies and technology companies, but his idea of a sustainable relationship is quite some distance from that of the big technology companies and their subscribers,” he said via email.
“Monitoring all electronic communication en masse breeds fear and suspicion, and it's natural that individuals will move towards more secure technology such as encryption to avert this. As it stands we have no insight into when our communication is being monitored, or even why. Perhaps this more sustainable model is agencies alerting you to let you know when and why your data was accessed.
The not-for-profit Open Rights Group, which was founded ten years ago by 1,000 digital activists, branded Hannigan's comments “divisive and offensive”.
“Robert Hannigan's comments are divisive and offensive. If tech companies are becoming more resistant to GCHQ's demands for data, it is because they realise that their customers' trust has been undermined by the Snowden revelations,” said executive director Jim Killock in a statement.
“It should be down to judges, not GCHQ nor tech companies, to decide when our personal data is handed over to the intelligence services. If Hannigan wants a 'mature debate' about privacy, he should start by addressing GCHQ's apparent habit of gathering the entire British population's data rather than targeting their activities towards criminals.”
Update: David Emm, principal security researcher at Kaspersky Lab, has told SC that this is the latest proof that balancing security and privacy is now easy thing.
"There will always be an underlying tension between privacy and security. On one hand society has a collective interest in security and in law enforcement agencies pursuing those responsible for crime and cyber-crime. On the other hand, we all have a legitimate right to privacy. But it's not an easy thing to get the balance right," he said via email.
"As we have previously seen, co-operation between businesses and law enforcement agencies has brought down botnets such as Zeus and CryptoLocker. Social networks and other online providers have a duty of care to their customers, in terms of respecting their right to privacy. But where such companies come across suspicious content, or see postings related to illegal content, within their own networks, it is reasonable to expect them to share these concerns with law enforcement agencies.
"It is the responsibility of the website providers to cooperate with law enforcement agencies to make sure privacy is respected whilst ensuring that security is maintained, and that those behaving outside the law are reported and dealt with accordingly."