/ Spying

Spying is Getting Harder

It's an open secret that 3-letter agencies around the world spy not only on each other but on their own citizens as well. Within Singapore, that responsibility falls upon the Internal Security Department, a domestic intelligence agency with license to surveil and address security threats. Domestic surveillance is a controversial yet vital component of internal security, helping to stop tragedies before they happen[1].

Technological advancement has increased the importance of signal intelligence (SIGINT) and reduced the role of old-school human intelligence (HUMINT) techniques. Instead of attempting to infiltrate suspicious organisations, agents simply monitor their calls, emails, SMSes and chat groups. Rather than shadow suspects, they can monitor their quarries remotely using planted smartphone malware or by doing cell tower triangulation[2].

Just six years ago, this was largely science fiction. The popularity of smartphones and our increasing reliance on the Internet heralded a new age in state surveillance. For the first time, just about everyone voluntarily carries an all-in-one audio recorder, camera and GPS tracker wherever they go. The smartphone may very well be the most powerful tool in the surveillance arsenal. We carry our entire lives around, perilously encased in a flimsy device. Our photos, friends, conversations, habits, interests, internet surfing history, media consumption, and even political affiliations are easily available to anyone with access.

Snowden and Manning have made public many of the curious tools attackers use to gather SIGINT, highlighting the insecurity of internet-connected devices including smartphones, smart televisions and other not-so-smart devices. British intelligence agency GCHQ[3] and the American NSA have each developed specialised tools for penetrating smartphones. GCHQ's "Smurf Suite" includes the "Nosey Smurf" which allows audio recording even when the phone appears to be turned off and "Tracker Smurf" for remote location tracking. The NSA has a similarly impressive list of curiously named hacking tools. Never before could law enforcement and intelligence agencies track so many people to such detail and with such precision using so few resources.

Unfortunately, the spying honeymoon is coming to an end. Several years ago, the majority of digital communication online was unencrypted. Encryption was tedious to set up. Few businesses and users saw the need.

Following the many leaks revealing the presence of sophisticated global surveillance systems, and with cybercrime on the rise, a massive push for encryption began, with major technology companies taking the lead in encrypting all online communications. One of the marvels of the digital world is that the marginal cost of extending digital encryption is nearly zero, meaning that there is little cost in encrypting even trivial data with effectively unbreakable encryption.

The issue 3-letter agencies face is that encryption applies equally to all. The same security that prevents cybercriminals from stealing your credit card details also prevents law enforcement agencies from reading terrorists' chat messages. As virtually unbreakable end-to-end encryption becomes the norm, security agencies are finding it near-impossible to surveil, or read the encrypted data they recover. This cripples domestic intelligence efforts.

When SMSes and unencrypted emails were the norm, interception and surveillance were trivial. But modern messaging applications WhatsApp and Telegram (messaging app of choice for ISIL) offer end-to-end encryption, meaning nobody but the intended recipient can read messages sent through these platforms, not even the companies themselves. By facilitating secure and secret communication, they provide terrorists a sanctuary from which to orchestrate deadly attacks.

Khalid Masood, the perpetrator of the Westminster attack earlier this year, allegedly sent a WhatsApp message just 3 minutes before he began his attack. But British law enforcement and intelligence are unable to determine the contents of the message or to whom it was addressed (which could help identify his co-conspirators) due to WhatsApp's end-to-end encryption. Home Secretary Amber Rudd has accused WhatsApp of providing terrorists "a secret place to hide" whilst PM Theresa May called for regulation of the use of encryption, though neither went as far as to attempt to ban such messaging services entirely, as David Cameron did. The UK is in good company. France and Germany have criticised the current state of encryption whilst the heads of the NSA and CIA have bewailed the fact encryption has stymied many an investigation. The bane of encryption is one of the few things almost every government in the world can agree is a looming problem.

Improved surveillance over Anis Amri or Khalid Masood might have revealed information justifying their detainment or at least continued surveillance, possibly preventing them from carrying out their deadly attacks. Without concrete intelligence pointing towards an imminent security threat, intelligence agencies had to make a difficult choice- continue devoting precious resources surveilling these seemingly non-threatening[4] subjects or focus their attention on the thousands of other potential threats.

The power to surveil without accountability or oversight is dangerous for society, but so is extremism and terrorism. There is an inherent tradeoff between privacy and security. We consent to being searched before boarding planes or attending mass events because such security measures make us safer. Increased encryption and privacy measures reduce cybercrime, but hinder domestic intelligence. Every society has to decide where to compromise between security, privacy and accountability.

Singapore has largely erred on the side of security. The Criminal Procedure Code and Computer Misuse and Cybersecurity Act are broadly phrased, allowing the government access to data in possession of any company in Singapore without a warrant. This allows law enforcement agencies to do pre-emptive surveillance of SMSes, email messages, web surfing history, etc. via telcos. Cell tower triangulation can be used to determine a subject's current location as well as where they've been since they purchased their cellphones. Former Attorney General Francis Seow highlighted the sophisticated surveillance techniques used by the government, noting that in 1999, SingTel surreptitiously scanned 200,000 computers belonging to its subscribers.

The ability to obtain such data without a court order or search warrant stands in sharp contrast to the official state of affairs in the USA and the UK (though leaks have revealed the laws aren't always obeyed). Lower confidence in government[5] and a different sociopolitical environment means the West has generally favoured privacy and accountability over security. For all the criticism the Internal Security Act has received, its usefulness in detaining potential security threats, even without concrete evidence, may have been invaluable in stopping attacks on Singapore soil at a very early stage. We are not alone in understanding the importance of such legislation. Switzerland and the US have similar legislation in place[6] and discussions are underway in Australia to introduce such laws. Facing the greatest terror threat in recent years, Britain has recently passed legislation legalising "the most extreme surveillance in the history of western democracy".

After the swath of terror attacks rocking Europe, leaving France and the UK on high alert, the importance of pre-emptive surveillance cannot be understated. Singapore's arrangement, which unburdens law enforcement agencies, may be the more enlightened one. Our approach decimated an 8-year-old Al-Qaeda sleeper cell, and more recently has helped identify radicalised Singaporeans before they posed a danger to themselves or to others. Singapore is one of the few countries in the world that has not yet experienced a terror attack on its shores. Not even New Zealand and Switzerland can boast such a feat. Domestic intelligence plays a vital role in our framework of Total Defence, identifying and addressing security threats at an early stage, because knowing is half the battle.

  1. How much surveillance is truly required and how effective our "precogs" are is the subject of controversy. ↩︎

  2. Whilst there is no evidence this is done in Singapore, it is both possible legally and technologically. In fact, the government would be unwise not to make use of such capability in pursuing and tracking subjects. ↩︎

  3. Government Communication Headquarters. Ironically it has little to do with the government's own communications. ↩︎

  4. MI5's assessed Khalid Masood was not a threat at the current time and so did not put him under active investigation. ↩︎

  5. According to Gallup polls, it's currently at 19% in the US whilst Singapore's lowest was 70%. ↩︎

  6. USA has the PATRIOT and National Defence Authorisation Acts whilst Switzerland has "administrative detention" via local laws. ↩︎