The former Technical Director of the NSA has appeared in front of lawmakers in the UK to voice his objections to the Investigatory Powers Bill that is currently being fast-tracked into law by the government.
William Binney said:
My big objection with the NSA and GCHQ and all associated law enforcement agencies and how they deal with data fundamentally circles around the bulk acquisition of data of any type… You have to get away from bulk acquisition dumping on your analysts because it makes your analysts fail… They have failed consistently since 9/11 and even before that.
He explained that he had 6,000 analysts working in 1997 who were charged with looking at phone and internet data.
He said that even then they “could not see how to solve issues around the world because there was too much data for them to look at.”
In order to combat this, his team created a “social network” using metadata to identify known targets and then built “zones of suspicion around them.”
He said this kind of targeted approach, which is no longer being used, enabled them to filter out anything unnecessary upfront, rather than having to mass-collect data. It also cost “one hundredth of what they’re using now.”
“I think the bill should address bulk acquisition and terminate that,” he added.
Money, money, money
Asked why he thinks the UK government is pressing for this kind of approach, Binney’s answer is simple: money.
I think I know exactly why. They took it because the NSA did and the NSA did it because of the contractors and the interest in the money… There’s an awful lot of money behind the scenes that the contractors wanted to feed on.
He points to the $3.8 billion Trailblazer program to capture internet communications as evidence of this and said that people were moving freely between working for the NSA and working for a contracted firm.
“The contractors were lobbying for this… They were trading the security of the people of the United States and the people of the free world for money,” he said.
When questioned on whether he thought £247 million over 10 years to deploy the powers in the bill would be sufficient, Binney said that this may be enough for retention and storage, but not processing, interrogation or software development.
Security and privacy
Other witnesses called today included the UK’s Information Commissioner, Christopher Graham, who audits data protection efforts of commercial and public bodies.
If we’re saying to commercial service providers ‘we want you to retain everything’ then you’re building up a risk around data security and privacy… Data protection is a fundamental right so I don’t think it’s a case of signing off a blank cheque.
He said he believed the Bill would pass but wants the government to confirm why 12 months has been chosen as the length of time that data will be retained, as this has not been justified in the existing document.
“There’s no indication why 12 months is right,” he said.
He also wants greater powers to enable him to force Communications Service Providers to cooperate more easily when they are asked to have their data audited.
He also suggested that Parliament should review the powers every year in order to ensure they are working in the way they were intended.
The Select Committee has been given just two weeks to hear evidence before making recommendations to the UK parliament, which has been widely criticised and was remarked on by the Information Commissioner in his evidence.
➤ Draft Investigatory Powers Bill Select Committee [Parliament.TV]
Get the TNW newsletter
Get the most important tech news in your inbox each week.