Artificial intelligence and UK national security: Policy considerations

RUSI was commissioned by GCHQ to conduct an independent research study into the use of artificial intelligence (AI) for national security purposes. The aim of this project is to establish an independent evidence base to inform future policy development regarding national security uses of AI. The findings are based on in-depth consultation with stakeholders from across the UK national security community, law enforcement agencies, private sector companies, academic and legal experts, and civil society representatives. This was complemented by a targeted review of existing literature on the topic of AI and national security. The research has found that AI offers numerous opportunities for the UK national security community to improve efficiency and effectiveness of existing processes. AI methods can rapidly derive insights from large, disparate datasets and identify connections that would otherwise go unnoticed by human operators. However, in the context of national security and the powers given to UK intelligence agencies, use of AI could give rise to additional privacy and human rights considerations which would need to be assessed within the existing legal and regulatory framework. For this reason, enhanced policy and guidance is needed to ensure the privacy and human rights implications of national security uses of AI are reviewed on an ongoing basis as new analysis methods are applied to data

The challenge to privacy from ever increasing state surveillance: a comparative perspective

This article explores how internet surveillance in the name of counterterrorism challenges privacy. Introduction International terrorism poses serious threats to the societies it affects. The counter-terrorism measures adopted since 2001 have sought to limit the advance of terrorism but, in the process, also created enormous challenges for (transnational) constitutionalism. Long-held and cherished principles relating to democracy, the rule of law and the protection of a wide range of human rights have come under increasing strain. Legislative authority to shoot down hijacked aircrafts or to use lethal drones against suspected terrorists affect the right to life; waterboarding of prisoners and other inhumane practices contravene the prohibition of torture; extraordinary renditions and black sites circumvent constitutionally protected rights and processes, including the right to freedom and security, the right to a fair trial and due process for suspected terrorists; ill-defined terrorism offences undermine the rule of law and personal freedom; blanket suspicion of Muslims as terror sympathisers impacts on freedom of religion and leads to unfair discrimination; and mass surveillance of communication sweeps away the right to privacy. This article explores how internet surveillance in the name of counterterrorism challenges privacy. In Part II, the article analyses the international dimension of counter-terrorism measures and the conceptualisation of data protection and privacy in the European Union (‘EU’), the United States of America (‘US’) and Australia. Part III compares the different concepts of data protection and privacy, and explores the prospects of an international legal framework for the protection of privacy. Part IV concludes that work on international data protection and privacy standards, while urgently needed, remains a long-term vision with particularly uncertain prospects as far as antiterrorism and national security measures are concerned

Protection of personal data in security alert sharing platforms

In order to ensure confidentiality, integrity and availability (so called CIA triad) of data within network infrastructure, it is necessary to be able to detect and handle cyber security incidents. For this purpose, it is vital for Computer Security Incident Response Teams (CSIRT) to have enough data on relevant security events and threats. That is why CSIRTs share security alerts and incidents data using various sharing platforms. Even though they do so primarily to protect data and privacy of users, their use also lead to additional processing of personal data, which may cause new privacy risks. European data protection law, especially with the adoption of the new General data protection regulation, sets out very strict rules on processing of personal data which on one hand leads to greater protection of individual's rights, but on the other creates great obstacles for those who need to share any personal data. This paper analyses the General Data Protection Regulation (GDPR), relevant case-law and analyses by the Article 29 Working Party to propose optimal methods and level of personal data processing necessary for effective use of security alert sharing platforms, which would be legally compliant and lead to appropriate balance between risks