ARTICLES It’s not just ‘fringe’ groups that are at risk of surveillance – UK civil society needs to learn digital security, and fast

A perfect storm of hacking and big data, corporate spying, and the surveillance-obsessed British state puts everyone at risk.

Two years ago the human rights NGO Amnesty International was informed that the UK government had spied on its communications. It had taken 18 months of litigation and persistence to confirm their suspicions.

In response, Amnesty’s Secretary General Salil Shetty said: “It’s outrageous that what has been often presented as being the domain of despotic rulers has been occurring on British soil, by the British government.”

It’s worth noting that this instance of state snooping happened before the ‘Snoopers Charter’ of 2016 gave GCHQ basically free reign to snoop on citizens. The passing of that act arguably marked the point that the British government went off the deep end in terms of surveillance and authoritarianism.

That story highlights just one aspect of the perfect storm of corporate and state privacy infringement which should make all those involved in British civil society extremely worried – and security-conscious.

It would be foolish to claim political repression in the UK is on a par with that in Russia or Turkey. But it would be just as foolish to ignore the considerable history of state snooping in the UK, or the growing role of this government as peddler of dangerous surveillance equipment – at home and abroad.

If this all sounds far-fetched, consider the ‘spycops’ scandal. Undercover police officers were revealed to have slept with the activists they were targeting. They maintained fictitious lives, and often relationships, for years. They have misled courts and withheld crucial evidence. It’s likely still going on, and it starkly illustrates what the British state is willing to do to maintain the status quo.

We’ll probably never know the real scale of the enormous infiltration operation used against left-wing groups since the 1960s, but we do know it included the family of Stephen Lawrence, and more recently, Green peer Jenny Jones.

Being an activist in the mid-2000s – especially environmental actions – was to inhabit a world where police infiltration was expected, as was violence, surveillance and intimidation. Many people from outwith this ‘scene’ are still surprised when this is described to them. But it was nothing new. And the idea that this surveillance was something reserved for ‘extreme’ or ‘hardcore’ activists, those blockaders of roads and coal trains, is disproved by the discovery in 2009 of the ‘blacklist’ – a secret file listing thousands of construction workers labelled as ‘trouble-makers’.

Corporations – in this case construction companies – were behind the blacklisting scandal, though it’s known now that undercover officers colluded with the company operating the blacklist, and the names of activists appeared alongside those of trade unionists.

The scandal showed the power of ‘big data’ long before Cambridge Analytica started scraping our Facebook likes. Now the threat is even more severe. The extent of corporate spying on civil society, going back years, is surely now well-known – Shell and McDonalds being most notorious – but while it used to be a dodgy-looking guy at a London Greenpeace meeting, now it can be much more subtle.

Obviously the most prominent recent examples of this ‘surveillance capitalism’ era are the tactics being used against activists. For instance in the US, Black Lives Matter protestors are spied on by police using sophisticated software that trawls social media. And Gulf regimes have eagerly bought up mass surveillance technology – mostly hawked by the UK and Israel – and used the software to track and imprison dissidents. But these are the mine canaries. It’s not just outspoken activists leading street protests who will increasingly be targeted like this. All civil society is at risk.

NGOs, if successful in their job, are sometimes an annoyance or threat to the state; alongside journalists, trades unions, campaigners and other cogs of civil society, NGOs are often crucial in forcing reform or exposing corruption. So it is not surprising that such organisations have been high on the hit-list of rulers seeking to consolidate power and silence opposition. Idil Eser, Amnesty International’s Turkey director, is currently in jail awaiting trial.

The list of governments using propaganda and legislation to undermine NGOs is long. While Putin does it more bluntly, such a trend is visible in the UK: the ability of civil society groups to play a part in politics was severely curbed by the so-called “gagging law” of 2014, which still remains in place despite continued protest. Recent proposals for a new Espionage Bill take things even further, threatening jail time for anyone sharing leaked ‘sensitive’ information, including journalists. Add this to last year’s Investigatory Powers Act (IP Act), which has made the UK one of the most extreme surveillance states in the world, and the path we’re on is pretty clear.

The other side of this ‘perfect storm’ is hacking. Police and security services hack, of course – see the huge powers handed to them under the ‘equipment interference’ section of the IP Act – but increasingly geopolitical squabbles and anti-democratic attacks are taking the form of cyber attacks.

Ukraine has suffered a barrage of cyber attacks over the past year, with sophisticated malware taking out banks, media organisations, and even national infrastructure. The power grid in parts of Kiev went down at Christmas last year, plunging people into darkness when temperatures outside were below freezing.

Clearly some of these attacks are being carried out on the orders of state actors; a kind of proxy war being conducted silently and invisibly. It’s an incredibly powerful tool: what quicker way to silence a troublesome organisation, be it journalistic or campaign group, than to hack into its (often poorly-protected) digital infrastructure? Files can be deleted or altered, private information stolen, and sites taken offline at a crucial time. Human rights defenders are particularly at risk, as cases documented by Front Line Defenders show.

Even aside from the darker aspect of political interference, stealing data from organisations is lucrative, making commercially-driven attacks an issue too.

Paranoia is not useful; the first step in digital security is assessing the actual risk. Who might be the threat, and what would be their motives? Where are your weaknesses? Many organisations still use obselete operating systems, which are sitting ducks for cyber attacks – as the recent ransomware outbreaks, targeting an old version of Windows, demonstrated. Guides to basic digital security, like Security in a Box, are a good place to start.

Digital technology has made campaigns and civil society actors more powerful than ever, able to quickly reach and mobilise huge numbers of people. There was always going to be a flip side of the coin in terms of the threat this tech enables, and the authoritarian turn by governments globally makes that threat much more severe. Getting clued up on security is an essential step in winning the big fights ahead.