is susceptible. Intelligence agencies like GCHQ have argued that mass surveillance does not violate privacy as there are no (or limited) human interventions in the process given that surveillance is a machine-driven process. The automated nature of the process means that the vast majority of data that is intercepted is discarded without human beings ever having looked at it. Once data of interest is identified, then an examination warrant is needed before the examination can be undertaken.17 However, the reality of big data analysis is somewhat different. There are six stages in the surveillance process: initial interception of the signals, often from cables as they enter the country; extraction, the stage where the signals are converted into an intelligible format; filtering, where analysts identify particular information of interest; storage, where this information is retained for further analysis; analysis, where the stored information is queried or examined; and dissemination, where the information is sent on to the relevant agencies.18 Spy agencies are reluctant to admit that privacy is interfered with at all stages of the surveillance process, while data is being diverted from its original and intended path, but this impacts on communications privacy even if it is an automated process.19 The most glaring privacy invasion occurs at the level of filtering, though. Analysts need to identify the search terms (known as selectors) for the processing of the raw data, and this involves subjective decisions about what matters and what doesn’t; so, clearly, there is human intervention at this stage, even if the selectors are used to undertake an automated filtering process.
Analysts may use hard selectors (such as email addresses or telephone numbers), a combination of selectors (such as an Internet Protocol address combined with a name), or what Eric King, director of Don’t Spy on Us, an organisation campaigning for surveillance reform in the UK, has referred to as ‘fuzzy selectors that can easily be critiqued’ (such as ‘all Muslims living in the city of London’).20 Once analysts have the data, they may become so overwhelmed with the volume that they may bring their own subjective lenses to bear on the analytical process. As a result, agencies have a vested interest in being as precise as possible, but the dangers of overbreadth remain, nonetheless. According to King:
Mass surveillance and targetted surveillance aren’t adequately precise. This doesn’t do justice to agency practice, which is to collect on a very large scale but in a targetted manner. Sometimes they overcollect. They may be going after a group, then may collect far more than they need … Targetted and mass surveillance are functionally hard to separate … What I take umbrage with is the limiting of people’s rights in the process. Where I have a problem, is the gathering of information of a whole country. Intrusion occurs when data is filtered out of the cable, irrespective of how much. There are a number of cases where communications have been intercepted when they were the target and where they weren’t the target.21
US attorney Brandon Mayfield is a real-life example of just how wrong big data-driven intelligence work can go. In 2004, he was falsely linked to the Madrid train bombings after his fingerprints were matched incorrectly to those found at one of the scenes of the crime. His fingerprint had found its way into an International Criminal Police Organisation (INTERPOL) database for an arrest two decades earlier on a charge that was subsequently dropped. In addition to his matched fingerprint, Mayfield became a prime suspect because he had converted to Islam and, as an attorney, had represented a person accused of attempting to assist the Taliban. Another suspect who did not fit this profile was ignored.22 Yet, in spite of the real dangers of falsely accusing people of a crime through big data analysis, and using the analysis to confirm already existing prejudices against social groups (Muslims, for instance), intelligence agencies are relying more and more on intelligence gleaned from big data.
ICTs have made contemporary life much more convenient; but they have also created new mechanisms of potentially anti-democratic social control. Is it really desirable for the state and private companies, sometimes working together, to regulate the most private actions and even thoughts of its citizens? The concerns about powerful institutions having such intimate knowledge about us have led to many becoming concerned that we are living in a surveillance society, where the collection, retention and analysis of vast quantities of data for the purposes of controlling human behaviour become central to our social fabric. Even more worryingly, we may be living under a surveillance state, in which the state uses this information to control citizens more effectively than in the past, because it has access to their most intimate details.
The surveillance society and state did not come out of nowhere; they have been under construction for many years. David Lyon has warned about the dangers by referring to what he calls ‘the slow cooker of surveillance’, in which the practices and technologies that are being deployed now have evolved over several decades,23 but such warnings have been confined largely to the arcane forums of academic publishing, rarely spilling over into public debate. The ‘slow cooker’ effect becomes apparent only when people understand the full extent of the surveillance architecture and how different elements of the surveillance assemblage link together. This bigger picture allows active citizens to anticipate what the state’s capacities are likely to be, and how the corporate sector bolsters these capacities: information which, in turn, can be used to anticipate when the state is becoming too powerful.
Surveillance creates mistrust between governments and citizens, leading to a reluctance to speak out on controversial issues of public importance, and even self-censorship. Being watched, or the fear of being watched, has a chilling effect in that it may dissuade people from expressing their innermost thoughts, and, when they do, they may alter what they have to say to please those who they think may be watching. In this regard, a distinction needs to be drawn between targeted surveillance and mass surveillance. Targeted surveillance involves the observation and gathering of information about individuals and groups where there is a reasonable suspicion that they have been involved in a crime, or where there are strong reasons to believe that they may be intending to commit a crime. This form of surveillance has also become known as ‘lawful interception’, as communications service providers are usually required by law to assist with such interceptions for the purposes of surveillance. Governments generally prescribe certain standards that communications companies must meet in making their networks surveillance-capable for lawful interception purposes: standards that originated from the Communications Assistance for Law Enforcement Act (CALEA), passed by the US Congress in 1994 to respond to law enforcement concerns that their ability to monitor networks was declining (or ‘going dark’) as more networks were digitised. The Act required network operators to use digital switches or handover interfaces that have surveillance capabilities built into them: a requirement that was subsequently incorporated into EU regulatory frameworks as well, according to standards set by the European Telecommunications Standards Institute (ETSI), subsequently known as ETSI standards.24
CALEA and ETSI standards have become internationalised as the surveillance standards for many countries.25 According to the communications security expert Susan Landau, while these standards have made surveillance of digital networks easier, they also introduced security vulnerabilities that have been exploited by intelligence agencies and criminals alike. Between 2004 and 2005, still-unidentified individuals exploited the inherent weaknesses in these interfaces to intercept the communications of senior Greek government officials for ten months, until the vulnerability was discovered. Over six thousand Italians, including judges, politicians and celebrities, also had their communications intercepted by criminals over a period of a decade.26 In 2012, in the wake of massive abuses of internet freedom by regimes desperate to cling to power in the Middle East and North Africa, the Directorate-General for External Policies of the European Parliament called for a reconsideration of some ETSI standards, as they were simply too vulnerable to abuse and enabled mass surveillance.27 Yet in spite of these problems, South Africa adopted CALEA and ETSI standards in 2005, including some of the very standards about which the European Parliament expressed concern.
Before we proceed with this discussion, it is necessary to add a terminological note on the differences between monitoring, surveillance, interception and equipment interference, as these terms are difficult to distinguish from one another, and at times some are used interchangeably. Monitoring involves the intermittent observation of communications over a period of time without specific pre-defined objectives. Surveillance, on the other hand, involves much closer continuous