The Don't Spy On Us campaign's initial thoughts on Parliament’s Intelligence and Security Committee report ‘Privacy and Security: A modern and transparent legal framework'
The Don't Spy On Us campaign's initial thoughts on Parliament’s Intelligence and Security Committee report ‘Privacy and Security: A modern and transparent legal framework'
#Legislative framework
Parliament's Intelligence and Security Committee (ISC) confirms that the UK's current legislative framework governing surveillance is woefully inadequate. Every section of the report recommends legislative reforms, culminating in the conclusion that the entire complicated, opaque system should be thrown out, and we should start again. This conclusion is bolstered by the fact that large swaths of intelligence techniques including hacking and the collection of "bulk personal datasets" are acknowledged to completely lack detailed statutory authorisation.
The Committee proposes a number of principles that should guide the elaboration of a new legal framework. While we approve of many of these principles and safeguards, there are some fundamental flaws with the framework proposed, namely:
- there is no proposal to eradicate mass surveillance/bulk interception
- there is no introduction of judicial authorisation of warrants
- there is no restriction of the types of capabilities deployable by the security agencies (eg. breaking encryption, back doors etc)
- there is no restriction on renewable authorisations, and authorisations are lengthy in time (usually 6 months)
- the distinction between communications data and communications data plus are futile and not easily drawn. The higher standard should apply to all access to communications data, as should judicial authorisation
#Scope of bulk interception
The report is consistent with information contained in the Snowden documents that GCHQ has tapped almost every fibre optic cable - referred to as "bearers" by the ISC - in the UK. These chosen bearers, the report reveals, carry "billions of communications" a day, which are filtered and scanned by GCHQ using thousands of selectors. Data contained in the Snowden documents suggest the number of selectors run in the tens of thousand - one document records NSA applies 30,000 and GCHQ 40,000.
The warrant regime pertaining to bulk interception activities is exceptionally broad; the report notes that there are only 19 warrants in existence to cumulatively authorise the interception of billions of communications each day. The reasons listed in the warrants are exceptionally vague, and include "controlled drugs" and "material providing intelligence on terrorism". In one instance mass surveillance was also justified on the basis of "strategic environmental issues".
The report is frank in its long overdue recognition of the futility of the internal/external distinction. The Committee notes that the evidence given by the Foreign Secretary "appeared to indicate that all internet communications would be treated as ‘external’ communications under RIPA – apart from an increasingly tiny proportion that are between people in the UK, using devices or services based only in the UK, and which only travel across network infrastructure in the UK." Accordingly, the ISC makes the important finding that "the current system of ‘internal’ and ‘external’ communications is confusing and lacks transparency. The Government must publish an explanation of which internet communications fall under which category, and ensure that this includes a clear and comprehensive list of communications."
Importantly, the Committee acknowledge the reality that "Under bulk interception, it is not technically possible to filter out LPP material,and it may therefore be incidentally collected." The Committee maintained that the fact that it is collected does not mean that it will be examined, and that GCHQ has policies in place to ensure examination only happens under exceptional circumstances, but nevertheless this makes clear that privileged materials are not immune from interception in a mass surveillance system.
#Safeguards
The section 16(3) safeguards - the only safeguards in RIPA - are found wanting by the ISC. The Committee said: "The nature of the 16(3) modification system is unnecessarily complex and does not provide the same rigour as that provided by an 8(1) warrant. We recommend that– despite the additional resources this would require – searching for and examining the communications of a person known to be in the UK should always require a specific warrant, authorised by a Secretary of State." They also note the lack of protection for UK nationals abroad, and recommend the adoption of system similar to that operated by the US in which privacy protections extent to UK nationals no matter where they are.
#Thematic warrants
We have long been assured that the surveillance of those within the British Isles is tightly controlled through a mandatory requirement to obtain a section 8(1) warrant, which requires specifying a person or a place. A central safeguard afforded those in the British Isles is that they cannot be spied upon unless a warrant is issued specifically identifying them and the reason why they are of interest. The report admits the existence of “thematic warrants”, which destroy this protection. By permitting the targeting of “any organisation or any association or combination of persons”, the thematic warrant obliterates the specificity requirement, allowing the intelligence services to place whole groups under surveillance without adequate safeguards. It is possible that such “thematic warrants”, which purport to be targeted forms of surveillance, could be used against organisations, people in a particular area, attending a particular event etc.
#Retention
Information on the length of time for which data - both content and communications data - is retained by GCHQ is suspiciously redacted from the report.
#Bulk Personal Datasets
BPDs have never before been publicly referred to by the government. They are "large databases containing personal information about a wide range of people", and are derived through covert and overt channels. Little is known about these datasets, but the choice of words by MI5 DG is illustrative - "there are datasets that we deliberately choose not to reach for" - insinuating that it may be via covert intrusive techniques that they acquire such data. In any event, it is likely that such datasets are acquired from government agencies, companies and credit agencies, and include health data, travel data, financial transaction data etc.
There is no legislative basis for the use of BPDs, other than the broad powers to obtain and disclose information in the ISA1994, and there is no statutory basis for oversight, retention or deletion.
#Proportionality
Less than two pages of the report is dedicated to the question of whether bulk interception works and is a valuable tool, and most of it is redacted. No concrete examples are provided to show how this data is used to improve the security and safety of the British public.
As the UN Special Rapporteur on protecting human rights while countering terrorism found, any system so invasive of human rights could only ever be lawful and proportionate if the government presented a rigorous evidence-based justification for its deployment. The ISC has failed to do so.
#Oversight
The report admits that the most critical parts of the interception process - the selection of which cables to search, the application of selectors and initial search criteria, and then the more complex searches - are completely removed from oversight by the Ministers or the Commissioner. The number of "selection rules" applied to intercepted data doubled between March and November 2014 without any review or audit.
The Committee notes with concern that abuse of surveillance and interception capabilities by GCHQ employees is not a criminal offence, and recommended it becomes one. In only one instance GCHQ have dismissed a member of staff for misusing access to GCHQ's systems.
The Committee notes there is no oversight of interception carried out under the Wireless Telegraphy Act [134], and no statutory oversight of the use of BPDs, although the Intelligence Services Commissioner has non-statutory responsibility for oversight.
#Communications data
The Report recognises that communications data and content-derived information are far more valuable to GCHQ that content itself [80], and that the statutory definition of communications data is narrowly drawn [143].They express concerns that certain categories of communications data ("communications data plus") are more revelatory and thus deserve greater safeguards.
#Interferences with wireless telegraphy
The report describes the tactic of interference with wireless telegrapy, which is the “sending or receiving signals over the airwaves rather than using wires. Examples are TV/radio signals, mobile phone signals,GPS/radar/sonar signals and signals sent by remote controls of various kinds”. Common techniques that the Agencies use to interfere with wireless telegraphy are redacted in the report, as is an entire section describing examples of interference with wireless telegrapy. Interference with wireless telegraphy is authorised under section 5 of ISA, although the number of authorisations each year are redacted in the report. Authorisations for interference with wireless telegraphy are not subject to any oversight.
#Computer Network Exploitation
The report acknowledge that there is no specific authorisation regime governing CNE. Despite this, the report describes how GCHQ develops decryption capabilities and has two other strands of work (redacted) related to enabling them to read encrypted communications. The report notes that GCHQ accepts that it discovers and uses a redacted number of vulnerabilities for use in CNE operations.
GCHQ has five section 7 class-based authorisations to execute activities that would otherwise be unlawful under British law.
#Judicial authorisation
The Committee disappointingly concludes that Ministers are better placed to approve authorisations for surveillance, stating that Ministers can apply both legal and political judgement to the matters. This misunderstands the way a rigorous authorisation process should work. Ministers should absolutely apply political judgement to the question of interception, but this should be followed by an independent, competent judicial authority who can make the decision separately from the agencies who rely upon it.
#IPT
The Committee notes the failings of the IPT as expressed by many of those who submitted to the Committee. The only one of those failings they chose to address in their recommendations, however, is the absence of an avenue for appeal at the domestic level, which they recommended be rectified in any new legislation.
#Intelligence sharing
The Committee noted that there are currently no legal or regulatory constraints governing access to foreign intelligence material, and arrangements are implemented as a matter of policy and practice only. They found this situation unsatisfactory and called for new legislation requiring the Agencies to have an interception warrant in place before seeking communications from a foreign partner.
#Powers under the Telecommunications Act 1984
The report is incredibly vague when it comes to the powers granted to the security services under the Telecommunications Act, s94. of which enables the Secretary of State to make directions of a general character in the interests of national security, and require any person to do or not to do a specified thing. The report provides no further information about how these orders are used, and instead accepts the representations of the Agencies that providing detailed information publicly about their capabilities under this Act would be significantly damaging to national security [265]
#NCND
The Committee accepted the agencies’ contention that there is a limit to what can be said publicly about their work [284] but maintained that greater openness about their activities is essential, and more mud be done. The Committee said ”the Government will need to adopt a more open approach to the Agencies’ activities in order to improve understanding and public trust… the Government will need to adopt a more open approach to the Agencies’ activities in order to improve understanding and public trust.” [285]
Comments (0)