Written evidence submitted by Edward Lucas

 

Introduction

I have been dealing with European security for more than thirty years, as an activist during the Cold War, and also as a journalist, author, analyst and consultant.[1] I sounded the alarm about Russia more than a decade ago, when such concerns were still unfashionable. The West is now waking up to the threat posed by Russian influence operations but we are still making two mistaken assumptions.

1)     That the problem is new. Wrong. It is new only to those who have not being paying attention. Soviet “active measures” (intelligence-led influence operations) date back to the 1920s. Russia made mischief in the Baltic states and elsewhere in the former Soviet empire even in the 1990s, when relations with the West were supposed to be cordial. These countries warned us.[2] We didn’t listen.

2)     That the problem is only or chiefly about information. Overt and covert information operations are just one part of the Kremlin’s active-measures arsenal, and not necessarily the most important. We should not assume that the bit of the problem we can see (or think we can see) is the one we should worry about most. [3]

Our starting point should be that Russia is a hostile and revisionist power which threatens British and allied interests. Surprisingly, this proposition is still contested. Some argue that Russia is merely reacting to real or perceived provocations by the West (such as the expansion of the EU and NATO); others say that Russia is a paper tiger, which has no real ability to damage the West. The third argument is moral equivalence: Russia may be doing bad things, but so do we.

All three of these arguments are false. The fact that Russia does not regard its ex-colonies as fully sovereign is no reason for us to do the same. Countries such as Estonia and Poland have chosen freely to adopt our approach to politics, economics and security. We should respect their choice. We did not provoke Russia. Russia chose to be provoked.

Secondly, it is true that Russia is a lot weaker than the West. Its population is about one-seventh of ours. Its GDP is about one-fourteenth. But it still has the capacity to do us harm. It poses a military threat in the Baltic states, where geography and NATO’s weaknesses make it hard to muster a strong conventional defence. It has a proven ability to confuse, distract and distort decision-making, both by targeted attacks on elites, and exerting broader influence on public opinion.

 

Proposals

It is time to stop admiring the problem of Russian influence and information operations, and to start trying to solve it.

However we should not try to impose rules on permissible content. Defining “fake news” is hard. In terms of content, there is no clear dividing line between good journalism and bad journalism, and there is no dividing line between bad journalism and mis-information, dis-information and propaganda. We have enough trouble already trying to define and enforce definitions of obscenity, extremism and topics such as Holocaust denial. We should not add to our problems by trying to define “Fake News” on the basis of content.

Instead we should concentrate on the channels and platforms which are used to wage information attacks against us.

The greatest asset our adversaries have here is anonymity. Anonymity is an aberration in real life. On the internet, it’s the norm. This has grown up by chance. When the internet was being developed in the 1980s, nobody took a considered policy decision to make anonymity the default setting for what was to become the central nervous system of modern civilisation.

Anonymity comes in three main forms. It is possible to set up an anonymous website. (One can buy a prepaid debit card with cash, and use that to pay for a domain-name registration and hosting). The registration details can be invented or omitted—indeed internet registrars explicitly encourage customers to do conceal their identity in the name of privacy.

 

Nothing prevents you registering a site with a misleading name.

 

We would not readily allow this in the real world. Trademark legislation prevents impersonation. Anonymous political leaflets in elections are forbidden.

The second form of anonymity is in social-media and e-mail accounts. It is easy to set up an e-mail in someone else’s name.

And to do the same with Facebook.

 

 

These accounts can be combined with publicly available images and data to look real.[4] This is not illegal so long as nobody is obtaining money by false pretences or breaching copyright laws.

The third form of anonymity is in advertising. Using a pre-paid debit card it is possible to buy advertising on Facebook, Google or other social media, with an untraceable payment trail. Those viewing the ads have no idea who paid for them. Outsiders have no idea how much has been spent or to what effect.

Anonymity as the default standard in our online lives has pernicious effects. It allows the untraceable flow of money into political advertising. It encourages the creation of large numbers of fake accounts, whether controlled by computer (“bots”) or individuals acting under orders (trolls). There is a role for anonymity—for example in political speech in totalitarian countries. But we should also have the right to prove who we are, and to ask the same of people we are dealing with. This is called “Identity Assurance”.

In a free society, we should expect people to stand behind what they say. If a website has no real-world contact details, or no real people working for it, we should give it no more credence than a leaflet we see lying in the gutter. If we get a message from an e-mail address or social-media account that is not backed by hard, real-world credentials, we should ignore it—just as we do with junk mail that drops through our letter box. As consumers, citizens and policy-makers, we should be putting pressure on the tech giants to give us something that in the real world we take for granted: the ability to prove who we are, and to check the identity of the people we are dealing with.

Here are three proposals to promote a healthier system of identity assurance.

1)     Make it easier to spot anonymous websites. We are used to warnings about sites that may damage us through malware.

2)    

 

 

We should have something similar for anonymous sites. The warning could say “The owners of this site have taken active steps to conceal their identity. This typically involves concealing or omitting data about its physical location, the people involved in providing content, and who pays for it.”

2) We need clearer information about the realness of the owners of social-media and e-mail accounts. Facebook and Twitter offer some information. But their procedures are binary and arbitrary. Users of the platforms have no right to be verified. The criteria are not published. There is no right of appeal against the platforms’ decisions. Google does has no current means for users’  identity assurance.

 

The committee should encourage the government to work with the G20 and the OECD to promote international standards of identity assurance.

3) We need information about advertising on Communication Service Providers. Advertisers can have no automatic expectation of privacy: if they want to stay in the shadows, they should not be advertising. The CSPs should maintain central registers of advertisements, and allow those viewing advertisements to find out who is behind them.

 

 

March 2018

[1] I spent more than three decades as a journalist, working as a foreign correspondent for among others the BBC, the Independent, the Sunday Times and the Economist, and writing for American news outlets including the Washington Post, the Wall Street Journal, Foreign Policy, Politico and the American Interest. I am now a columnist for the Times, and senior vice-president at CEPA, a thinktank in Washington, DC.

In 1989 I was the only Western newspaperman living in Communist-era Czechoslovakia before the the Velvet Revolution brought down the regime. I was the last Western journalist to be expelled from the Soviet Union, having received in March 1990 the first visa given by the new, and then-unrecognised, Lithuanian authorities. In 1992 I founded and ran the first English-language weekly in the Baltic states. In 2010 I coordinated the defence for my employer, The Economist, in a high-stakes libel action brought against us by a Russian tycoon who denied that his fortune benefited from his association with Vladimir Putin. I know Russian, German, Polish, Czech and some other languages. As well as the ‘New Cold War’ (2008, which sounded the alarm about Putin’s Russia), I am the author of ‘Deception’ (2011, on east-west espionage) ‘The Snowden Operation’ (2014) and of ‘Cyberphobia’ (2015) which deals with internet anonymity and privacy. 

[2] For example, in this speech by the then Estonian president, Lennart Meri, in 1994  https://vp1992-2001.president.ee/eng/k6ned/K6ne.asp?ID=9401

[3] In this article for the CEPA website, I outline 20 elements in the Kremlin’s toolkit. Information is just one. Military means of all kinds are one other.

[4] The Gmail account was deleted within minutes.