Tech firms anti-terrorism efforts criticised in Rigby report By Leo Kelion

Technology desk editor Published duration 25 November 2014

image copyright Getty Images image caption Fusilier Lee Rigby was murdered by Michael Adebowale in London on 22 May 2013

The Intelligence and Security Committee (ISC)'s report into the murder of Fusilier Lee Rigby suggests there was a "significant possibility" MI5 could have prevented the attack had its officers been aware of an online exchange in December 2012 between Michael Adebowale and a person codenamed Foxtrot.

"The party which could have made a difference was the company on whose platform the exchange took place," it says.

However, it adds, the company "does not appear to regard itself as under any obligation" to have indentified the conversation or acted to prevent the threat of an attack becoming reality.

"There is therefore a risk that, however unintentionally, it provides a safe haven for terrorists to communicate within."

The version of the report released to the public does not identify the service involved, but goes on to highlight the "considerable difficulty" MI5 has accessing content from six US-headquartered companies:

Facebook

Apple

Google

Microsoft

Twitter

Yahoo

This returns to a theme highlighted earlier this month by Robert Hannigan, the new director of GCHQ, who wrote an article for the Financial Times suggesting the tech giants were in denial over the fact their services had become "the command-and-control networks of choice for terrorists".

image copyright Thinkstock image caption UK agencies suggest it is difficult to get US tech companies to comply with intercept requests

The companies, in turn, have stressed their need to protect users' privacy. They have promised to co-operate with the authorities if surveillance requests occur under a legal framework and with oversight.

But the ISC highlights the practical problems British authorities experience when they try to hold the companies to this commitment.

Its report states that because the companies are US-based, they refuse to accept the UK has jurisdiction over them when it comes to lawful intercept requests and instead require authorisation from the US courts.

For example, it notes that Twitter's guidelines explicitly stated that requests for tweets, direct messages, photos and other content required a "valid US search warrant".

media caption WATCH: David Cameron calling on web firms to step-up efforts

In fact, the reference to the United States in this passage has since been dropped from Twitter's site, but the San Francisco-based company still states it only guarantees a response to "valid legal process issued in compliance with US law".

Forward planning

The UK, is of course, an ally of the US, and British agencies can request their American partners seek local authorisation on their behalf.

The problem is that in practice, the ISC says, this only happens when there is an imminent threat to life.

The conversation in which Adebowale said he intended to murder a soldier occurred about five months before the attack - the implication is that this might not have qualified.

So why aren't the tech companies flagging up spotted threats themselves?

The committee says it had been told the messaging service used by Adebowale had closed some of his accounts before the murder and that GCHQ believed this was because the company's automated internal checks for terrorism-related content had been triggered.

image copyright Getty Images image caption The ISC's chairman, Malcolm Rifkind, thinks a desire to protect users' privacy should not be allowed to outweigh the opportunity to prevent terrorist atrocities

Yet it notes that no person at the company had ever reviewed the contents of the accounts or passed on the material for the authorities to check.

The ISC contrasts this with the fact such companies are often quick to tip off others when it comes to suspected cases of child abuse.

"On the basis of the evidence we have received, the company does not have procedures to prevent terrorists from planning attacks using its networks," the ISC says.

Automated checks

The committee does, however, acknowledge that the six named US companies took different approaches to the matter.

Its report states:

Apple, Twitter and Yahoo said they did not proactively monitor their members' communications - Twitter noted the volume of material it hosted made this "unfeasible"

Google said it ran an automated system to detect dangerous websites and suspicious log-ins among other material, but only manually reviewed a small percentage of the findings

Microsoft said it did not monitor communications "in the way [the ISC's members] contemplate"

Facebook's reply is redacted

For the most part, however, the ISC says the companies rely on either other users or the authorities notifying them about offensive content before taking action - an approach it suggests is ill-suited to tackling covert communications between terrorists.

image copyright AP image caption GCHQ is faced by both the growth in online communications and the rise of encryption

Furthermore, it highlights that the companies' embrace of complex encryption techniques is making it even harder for GCHQ to spot potential threats in the "204 million email messages, 100,000 tweets and a million Facebook posts" sent every minute.

And the report is critical of the suggestion the companies need to prioritise their users' privacy.

"Where there is a possibility that a terrorist atrocity is being planned, that argument should not be allowed to prevail," it says.

Tellingly, a section covering how GCHQ and others are seeking to tackle the issue is blanked out.

'Impossible to predict'

Prime Minister David Cameron and Labour Party leader Ed Miliband have both called for the tech companies to create a standard method to alert the authorities to cases of suspected extremism, similar to the way they flag child exploitation.

Mr Cameron also told the House of Commons he regularly raised the issue with President Obama.

But while the named tech companies have yet to release statements in response, one digital rights campaigner has attacked the tone of the ISC's findings.

"The government should not use the appalling murder of Fusilier Rigby as an excuse to justify the further surveillance and monitoring of the entire UK population," said Jim Killock, executive director of the Open Rights Group.

image copyright Thinkstock image caption Digital rights campaigners are concerned by the idea of email being monitored

"The committee is particularly misleading when it implies that US companies do not co-operate, and it is quite extraordinary to demand that companies proactively monitor email content for suspicious material. Internet companies cannot and must not become an arm of the surveillance state.

"As the report admits, 'lone wolf attacks' are almost impossible to predict - and therefore difficult to prevent.

"The security services should focus their efforts on the targeted surveillance of individuals like Michael Adebolajo rather than continuing to monitor every citizen in the UK."

TechUK, an industry lobby body, added that tech firms had taken part in counter-terrorism talks since the ISC's report was written.

"Positive steps have already been taken since the summer to examine these very complex issues," said Antony Walker, deputy chief executive of the organisation.

"However, if the government believes that it needs additional powers to be able to access communication data it must be clear about exactly what those powers are and consult widely on them before putting proposals before Parliament."