SSC Report and Surveillance: Big brother looking out for you?

Next Article

Organisational culture as a precipitator to crime

James Knapp, Principal Consultant at Stag Risk Management, writes that the SSC Inquiry into the use of external security consultants by government agencies raises more urgent questions than answers.

The report from the State Services Commission (SSC) investigation into government agencies’ use of private security providers, and in particular the private investigation firm Thompson and Clark Investigations Limited (TCIL), was widely reported as ‘scathing’. ‘Paradoxical’ is perhaps a better description, raising the question, “Okay, so what do we do now?”

On releasing the report, State Services Commissioner Peter Hughes stated, “It is never acceptable for an agency to undertake targeted surveillance of a person just because they are lawfully exercising their democratic rights – including their right to freedom of expression, association and right to protest. That is an affront to democracy.”

I don’t think one would find a single New Zealander in disagreement with that statement. I strongly doubt any public servant or agency would ask for surveillance ‘just because’ someone is expressing an opinion; rather I suspect the concern would come from how they were expressing it.

No public servant wakes up in the morning determined to use their work to trample on people’s rights. Yet since the inquiry, the media, activist groups and even security commentators seem to have used a very broad brush to paint all commercial intelligence-gathering and threat assessment activities as antidemocratic.

According to the SSC website, the inquiry “looked at TCIL’s reporting to government agencies on ‘issue motivated groups’, which treated those groups as a security threat.”

Did all agencies really consider issuemotivated groups (IMGs) to be security threats, or is that a generalisation? If the generalisation is broadly accurate: was that position based on the advice provided by TCIL, was it tribalism (“your group is opposed to my group, therefore you pose a threat to me”), or was it perhaps a genuine misunderstanding of the nature of the risk?

I personally never regarded any ‘group’ as a threat. A group is made up of individuals who, like all members of society, sit somewhere on a spectrum from great to awful. I have categorically ruled out several individual activists as safety threats, saving time and stress, largely thanks to advice from TCIL. However, in order to work out who might be and who is not a threat, one has to look at the bigger picture. Is it fair to monitor the public activities of a group in order to detect and prevent offences?

I asked Gavin Clark, Director of TCIL, for comment about whether IMGs are a threat. He was adamant that “TCIL believe in and embrace the right to freedom of speech and expression”, adding that “TCIL have never prevented any lawful protest or activist group exercising their democratic rights”. He confirmed that they did monitor the activities of certain IMGs to detect unlawful protest activity that could threaten people or the continuity of legitimate business.

It seems fair to me that everyone should expect to attract some scrutiny if, in the course of expressing their opinion, they display concerning or threatening behaviour, if they do so in a public place or forum where they have no reasonable expectation of privacy.

We have rights, but we also have a responsibility to exercise those rights in a way that does not frighten other people, solicit or incite violence or obstruct the carrying on of a lawful business.

The risk

While it is indeed the case that not all activists pose a threat to people or the organisations they oppose, it is equally true some fixated or extremist persons or elements within those IMGs could, and have, posed a genuine security risk to the lawful activities of the organisations they oppose.

Threatening interpersonal situations and direct action are uncommon, but they do occur regularly and they rarely make the news. Some examples of anti-1080 threats from the recent past include:

• Agitated persons visiting an office and yelling at staff

• Veiled threats to place man-traps that would cause injury to workers

• Threats or intimidation delivered directly from one person to another

• Online threats to behead, shoot, assault or poison workers

• Accosting, following and personally abusing off- and on-duty workers

• Various attempts to sabotage or disrupt operations, such as attempting to illegally access active helicopter landing sites; scattering ‘Z’ nails on access routes; felling trees across access roads (in one case felling two large native trees); sabotaging equipment, such as fuel trailers; and threatening to shoot down helicopters.

The vast majority of contemporary threats come to staff attention via social media; they are usually non-specific and not targeted at any individual person. However, sometimes posts target an individual and this can cause distress. Online posts that cause serious emotional distress may breach the Harmful Digital Communications Act 2015.

A common tactic that is not necessarily a threat, but is potentially harmful, is that of ‘naming and shaming’ individual company directors or workers. While the original post itself may not be a criminal offence as it may not be threatening in nature, many of the comments or replies are vitriolic and sometimes threatening. The fact that the originator does not always remove threatening comments only lends weight to the presumption that by ‘naming and shaming’ they intend to intimidate the target person or organisation.

A recent trend is the ironic labelling of 1080 use as “terrorism” along with attempts to suggest or justify extremist action.

The need

Workplaces have a legal and moral duty of care to protect people from workrelated risks to their health and safety, including their mental health. If an employer knows of a risk, it is incumbent upon them to assess and then eliminate or minimise the risk, whether it has been realised or not (yet). It is expected that organisations, whether Government or commercial, will take reasonable steps to ensure their own security.

Good practice involves not just a general security risk assessment, but also an assessment of every threat or concerning client interaction.

An essential element of risk management is risk analysis and evaluation. Since statistics on violent incidents in New Zealand are limited, it is instructive to look overseas to gain statistically significant insights. For example, the most common venue for mass killings in the United States, including active shooter events, is commercial workplaces, not schools. Sadly, we are not immune in New Zealand - client violence against workers is a serious risk, with the shootings in Northland and Ashburton being extreme examples.

It is essential that concerning interactions are internally reported and assessed for threat potential.

The US Secret Service has noted that over three-quarters of mass killers in 2017 “made concerning communications and/or elicited concern from others” before attacking, while an FBI study of 63 active shooters from 2000-2013 found that a shooter will have displayed on average four to five concerning behaviours. It seems unlikely that any aggrieved person will stew to the point of violence entirely in silence.

Yet paragraph 1.16 of the Inquiry’s report contained the judgement that it “[does] not consider that health and safety obligations require or justify surveillance [including the monitoring of social media] of individuals or groups by external security consultants in circumstances such as these. The company’s other actions to mitigate the risks were appropriate, including physical security measures, and staff training in de-escalation strategies. For more serious concerns, the proper response was to seek assistance from the Police."

This implies that an organisation needs to define ‘serious concern’. Should they just report every veiled threat or concerning client interaction? The Police are unlikely to continue to respond every time a client becomes upset or abusive. That doesn’t seem to be a sensible use of Police resources.

Conflict is unavoidable, but violence does not always result, and people should not be afraid of harmless venting if they are trained to deal with it. To filter ‘serious concerns’ from normal conflict or trifling abuse, some form of threat assessment may be needed. A threat assessment may include having an independent specialist make objective observations of a client’s tone and behaviour. At a public meeting held on private property, for example.

Proportionality

Intelligence-led risk and threat assessment saves time, money and stress. The traditional (and largely pointless) approach to health and safety risk assessment is to multiply likelihood and consequence using a simple 5 x 5 matrix. That approach does not suit security risk management, because:

1. The consequences of a single rare event can be catastrophic;

2. Risk is not static; and

3. A purely consequential risk assessment could lead to a constant state of high alert.

If every threat or risk event is treated equally, risk may appear to be cumulative rather than dynamic. Ramping up security levels in response to multiple events will eventually translate into a state of constant high alert.

This is undesirable because normal business becomes inefficient, security measures may become prohibitively expensive and the effects of alertness can be damaging. Constant alertness (hypervigilance) can cause unnecessary alarm, stress, and an unnecessarily defensive approach to all client interactions. Conversely, it may result in complacency at the exact wrong time.

Therefore, in assessing emergent security threats from external sources, security managers consider three main elements: capability/means, intent/motivation, and vulnerability/ opportunity. Occasionally, a practitioner might seek specialist advice in relation to the likelihood that a specific person will commit violence.

Under the government Protective Security Requirements (PSR), an agency must have a system for setting alert levels. The outcome of a new risk assessment or a specific threat assessment is aligned with a response measures table, which sets out proportionate response measures. Responses are time-limited and cease when the situation normalises. For example, where social media monitoring detects an online threat to assault staff as they depart their office, a threat assessment may indicate that the originator has a low chance of success. Weighed against the potential consequences of success, staff may be informed that there is a low risk of protest action and be reminded of standard security protocols, but with no additional security measures implemented.

Proactivity vs reactivity

In his book 'Protecting People in New Zealand', Carlton Ruffell CPP PSP rightly states, “Those responsible for the security of people should not just wait for threat material to arrive on their desks”.

I take that to mean that those who become aware of the existence of a general risk should then make efforts to proactively detect threats using intelligence gathering. Intelligence gathering works like a funnel, with a broad collection mechanism to source data internally and from outside the organisation, which is then progressively sieved by analysis until it is either disseminated for action or discarded as irrelevant.

Criminal offences have been successfully detected, and in some cases prevented, through intelligence-led risk management, yet the SSC maintains that the surveillance of groups should not occur. If surveillance is defined as broadly as the SSC defines it, how can an agency proactively scan for threats that they can then report to Police?

There is, to my knowledge, no Government-led service that provides the kind of low-level security intelligence service provided by TCIL; it is a gap that is not quite covered by either Police or NZSIS, and that otherwise remains unfilled. Adding to the gap is the fact that information-sharing between agencies is complex, and threat information isn’t shared among Government agencies, let alone commercial organisations that face similar threats – sometimes from the same people.

So what now?

Perhaps the intelligence function could be brought in-house. If so, what is the qualification or experience necessary for intelligence and threat assessment? Does, or should, that capability exist in every organisation and state agency?

Agencies are prevented from comparing notes on persons of concern – despite anecdotal evidence that a person inappropriately interacting with one organisation will often have had run-ins with another. That means an internal capability would have to be duplicated in every agency, but there simply is not enough qualified security managers in New Zealand to fill those potential vacancies.

Building an in-house capability and delivery without a solid framework and tight protocols might also present the same or greater reputational and ethical risks as outsourcing.

Worse, the report may suggest to organisations that their safest option, in terms of reputational risk, is to treat every client as a potential threat. That means installing expensive and disproportionate physical security controls, such as holding their clients at the door or confronting them with a uniformed guard.

To me, that seems not only disproportionate but also inefficient and potentially counter-productive. Simply transferring the risk of interpersonal conflict or attack to a lightly trained security guard without screening technology, defensive equipment or legislated powers beyond that of an ordinary citizen, is neither fair nor a very effective control for the risk they are put there to prevent or respond to.

Health, safety and security practice demands that practitioners do not wait for harm to occur before acting to prevent it. Yet without evidence to back a ‘serious concern’, or evidence that a serious offence is imminent, Police are usually unable to act.

Without monitoring, how do organisations gather the evidence to form a judgement on what is a ‘serious concern’? Should they assume that every member of an opposed group is of equally good character, with equally peaceful intentions?

It seems illogical and irresponsible to allow a known risk to be realised before taking any action.