Tech firms anti-terrorism efforts criticised in Rigby report
The Intelligence and Security Committee (ISC)'s report into the murder of Fusilier Lee Rigby suggests there was a "significant possibility" MI5 could have prevented the attack had its officers been aware of an online exchange in December 2012 between Michael Adebowale and a person codenamed Foxtrot.
"The party which could have made a difference was the company on whose platform the exchange took place," it says.
However, it adds, the company "does not appear to regard itself as under any obligation" to have indentified the conversation or acted to prevent the threat of an attack becoming reality.
"There is therefore a risk that, however unintentionally, it provides a safe haven for terrorists to communicate within."
The version of the report released to the public does not identify the service involved, but goes on to highlight the "considerable difficulty" MI5 has accessing content from six US-headquartered companies:
This returns to a theme highlighted earlier this month by Robert Hannigan, the new director of GCHQ, who wrote an article for the Financial Times suggesting the tech giants were in denial over the fact their services had become "the command-and-control networks of choice for terrorists".
The companies, in turn, have stressed their need to protect users' privacy. They have promised to co-operate with the authorities if surveillance requests occur under a legal framework and with oversight.
But the ISC highlights the practical problems British authorities experience when they try to hold the companies to this commitment.
Its report states that because the companies are US-based, they refuse to accept the UK has jurisdiction over them when it comes to lawful intercept requests and instead require authorisation from the US courts.
For example, it notes that Twitter's guidelines explicitly stated that requests for tweets, direct messages, photos and other content required a "valid US search warrant".
In fact, the reference to the United States in this passage has since been dropped from Twitter's site, but the San Francisco-based company still states it only guarantees a response to "valid legal process issued in compliance with US law".
The UK, is of course, an ally of the US, and British agencies can request their American partners seek local authorisation on their behalf.
The problem is that in practice, the ISC says, this only happens when there is an imminent threat to life.
The conversation in which Adebowale said he intended to murder a soldier occurred about five months before the attack - the implication is that this might not have qualified.
So why aren't the tech companies flagging up spotted threats themselves?
The committee says it had been told the messaging service used by Adebowale had closed some of his accounts before the murder and that GCHQ believed this was because the company's automated internal checks for terrorism-related content had been triggered.
Yet it notes that no person at the company had ever reviewed the contents of the accounts or passed on the material for the authorities to check.
The ISC contrasts this with the fact such companies are often quick to tip off others when it comes to suspected cases of child abuse.
"On the basis of the evidence we have received, the company does not have procedures to prevent terrorists from planning attacks using its networks," the ISC says.
The committee does, however, acknowledge that the six named US companies took different approaches to the matter.
Its report states:
- Apple, Twitter and Yahoo said they did not proactively monitor their members' communications - Twitter noted the volume of material it hosted made this "unfeasible"
- Google said it ran an automated system to detect dangerous websites and suspicious log-ins among other material, but only manually reviewed a small percentage of the findings
- Microsoft said it did not monitor communications "in the way [the ISC's members] contemplate"
- Facebook's reply is redacted
For the most part, however, the ISC says the companies rely on either other users or the authorities notifying them about offensive content before taking action - an approach it suggests is ill-suited to tackling covert communications between terrorists.
Furthermore, it highlights that the companies' embrace of complex encryption techniques is making it even harder for GCHQ to spot potential threats in the "204 million email messages, 100,000 tweets and a million Facebook posts" sent every minute.
And the report is critical of the suggestion the companies need to prioritise their users' privacy.
"Where there is a possibility that a terrorist atrocity is being planned, that argument should not be allowed to prevail," it says.
Tellingly, a section covering how GCHQ and others are seeking to tackle the issue is blanked out.
'Impossible to predict'
Prime Minister David Cameron and Labour Party leader Ed Miliband have both called for the tech companies to create a standard method to alert the authorities to cases of suspected extremism, similar to the way they flag child exploitation.
Mr Cameron also told the House of Commons he regularly raised the issue with President Obama.
But while the named tech companies have yet to release statements in response, one digital rights campaigner has attacked the tone of the ISC's findings.
"The government should not use the appalling murder of Fusilier Rigby as an excuse to justify the further surveillance and monitoring of the entire UK population," said Jim Killock, executive director of the Open Rights Group.
"The committee is particularly misleading when it implies that US companies do not co-operate, and it is quite extraordinary to demand that companies proactively monitor email content for suspicious material. Internet companies cannot and must not become an arm of the surveillance state.
"As the report admits, 'lone wolf attacks' are almost impossible to predict - and therefore difficult to prevent.
"The security services should focus their efforts on the targeted surveillance of individuals like Michael Adebolajo rather than continuing to monitor every citizen in the UK."
TechUK, an industry lobby body, added that tech firms had taken part in counter-terrorism talks since the ISC's report was written.
"Positive steps have already been taken since the summer to examine these very complex issues," said Antony Walker, deputy chief executive of the organisation.
"However, if the government believes that it needs additional powers to be able to access communication data it must be clear about exactly what those powers are and consult widely on them before putting proposals before Parliament."