29 March 2015

UK Privacy and Security Framework report

Privacy and Security: A modern and transparent legal framework by the UK Intelligence and Security Committee of Parliament comments
i. The internet has transformed the way we communicate and conduct our day-to-day lives. However, this has led to a tension between the individual right to privacy and the collective right to security, which has been the focus of considerable debate over the past 18 months.
ii. The leak by Edward Snowden of stolen intelligence material in June 2013 led to allegations regarding the UK Agencies’ use of intrusive capabilities – in particular those relating to GCHQ’s interception of internet communications. This Committee investigated the most serious of those allegations – that GCHQ were circumventing UK law – in July 2013. We concluded that that allegation was unfounded. However, we considered that a more in-depth Inquiry into the full range of the Agencies’ intrusive capabilities was required – not just in terms of how they are used and the scale of that use, but also the degree to which they intrude on privacy and the extent to which existing legislation adequately defines and constrains these capabilities.
iii. All those who contributed to this Inquiry agreed that the intelligence and security Agencies have a crucial role protecting UK citizens from threats to their safety. The UK intelligence and security Agencies (MI5, SIS and GCHQ) exist to protect the country from threats and to obtain intelligence in the interests of the UK’s national security or economic well-being and for the detection and prevention of serious crime. The importance of this work is reflected in the fact that Parliament has provided the Agencies with a range of intrusive powers which they use to generate leads, to discover threats, to identify those who are plotting in secret against the UK and to track those individuals.
iv. However, in a democratic society those powers cannot be unconstrained: limits and safeguards are essential. First and foremost, the Agencies are public bodies and therefore everything they do must be in accordance with the Human Rights Act 1998 (which incorporates the European Convention on Human Rights into UK law). While the Agencies work to protect our national security, they must do so while upholding our basic human rights. Some rights are not absolute: the right to privacy, for example, is a qualified right – as all the witnesses to our Inquiry accepted – which means that there may be circumstances in which it is appropriate to interfere with that right. In the UK, the legal test is that action can be taken which intrudes into privacy only where it is for a lawful purpose and it can be justified that it is necessary and proportionate to do so. The question that we have considered in relation to each of the Agencies’ capabilities is whether the intrusion it entails is justified and whether the safeguards are sufficient.
v. Our Inquiry has involved a detailed investigation into the intrusive capabilities that are used by the UK intelligence and security Agencies. This Report contains an unprecedented amount of information about those capabilities, including how they are used, the legal framework that regulates their use, the authorisation process, and the oversight and scrutiny arrangements that apply.
The Committee summarises its key findings
  • We are satisfied that the UK’s intelligence and security Agencies do not seek to circumvent the law – including the requirements of the Human Rights Act 1998, which governs everything that the Agencies do. 
  • However, that legal framework has developed piecemeal, and is unnecessarily complicated. We have serious concerns about the resulting lack of transparency, which is not in the public interest. 
  • Our key recommendation therefore is that the current legal framework be replaced by a new Act of Parliament governing the intelligence and security Agencies. This must clearly set out the intrusive powers available to the Agencies, the purposes for which they may use them, and the authorisation required before they may do so. 
  • Our Report also contains substantial recommendations about each of the Agencies’ intrusive capabilities, which we consider are essential to improve transparency, strengthen privacy protections and increase oversight. 
  • We have scrutinised GCHQ’s bulk interception capability in particular detail, since it is this that has been the focus of recent controversy: 
  • Our Inquiry has shown that the Agencies do not have the legal authority, the resources, the technical capability, or the desire to intercept every communication of British citizens, or of the internet as a whole: GCHQ are not reading the emails of everyone in the UK. 
  • GCHQ’s bulk interception systems operate on a very small percentage of the bearers that make up the internet. We are satisfied that they apply levels of filtering and selection such that only a certain amount of the material on those bearers is collected. Further targeted searches ensure that only those items believed to be of the highest intelligence value are ever presented for analysts to examine: therefore only a tiny fraction of those collected are ever seen by human eyes. 
  • The current legal framework of external and internal communications has led to much confusion. However, we have established that bulk interception cannot be used to target the communications of an individual in the UK without a specific authorisation naming that individual, signed by a Secretary of State. 
  • While these findings are reassuring, they nevertheless highlight the importance of a new, transparent legal framework. There is a legitimate public expectation of openness and transparency in today’s society, and the intelligence and security Agencies are not exempt from that. 
The Report goes on to comment
Interception of communications
While we have considered the entire range of intrusive capabilities available to the Agencies, public controversy has centred on GCHQ’s interception of internet communications which some have alleged means that GCHQ are ‘hoovering up’ the communications of everyone in the UK. Such ‘blanket surveillance’ would not only be unlawful, but also unacceptable. We have therefore scrutinised GCHQ’s capability to intercept internet communications in detail, including how GCHQ collect communications and the circumstances in which they may then examine those communications (paragraphs 49–128).
Why do the Agencies intercept communications?
The Agencies conduct two types of interception, depending on the information they have and what they are trying to achieve:
a) As an investigative tool. Where there is specific knowledge about a threat (e.g. a specific email address has been linked to terrorist activity), the Agencies may intercept that individual’s communications, provided they can demonstrate to a Secretary of State that it is necessary and proportionate to do so. This is known as ‘targeted interception’ and must be authorised by a warrant signed by a Secretary of State under Section 8(1) of the Regulation of Investigatory Powers Act 2000 (RIPA). Contributors to this Inquiry broadly accepted the principle of targeted interception. (Specific aspects of ‘targeted interception’ – and detailed recommendations for improvements in procedures – are covered in paragraphs 28–48.)
b) As a ‘discovery’, or intelligence-gathering, tool. The Agencies can use targeted interception only after they have discovered that a threat exists. They require separate capabilities to uncover those threats in the first place, so that they can generate leads and obtain the information they need to then target those individuals. It is this ‘bulk interception’ capability that has led to allegations that GCHQ are monitoring the communications of everyone in the UK.
How much of the internet do GCHQ ‘hoover up’?
We have investigated in considerable detail the processes by which GCHQ intercept internet communications in bulk. These processes involve first the collection of communications (which is authorised by a warrant signed by a Secretary of State under RIPA) and then the examination of a small number of those communications (if the material is listed in the Certificate that accompanies that warrant).
The first of the major processing systems we have examined is targeted at a very small percentage of the ‘bearers’ that make up the internet. As communications flow across those particular bearers, the system compares the traffic against a list of ‘simple selectors’. These are specific identifiers relating to a known target. Any communications which match are collected (paragraphs 60–64).
Analysts must then carry out a ‘triage process’ to determine which of these are of the highest intelligence value and should therefore be opened and read. Only a very small proportion (***%) of the items collected under this process xxxx (around *** items per day) are ever opened and read by an analyst. Even when GCHQ know that a communication relates to a known target, they still do not have the capacity to read all of them; they have to prioritise (paragraphs 74–75).
Another major processing system by which GCHQ may collect communications is targeted at an even smaller number (just ***%) of the bearers that make up the internet (these are a subset of those accessed by the process just described). GCHQ apply *** ‘selection rules’ and, as a result, the processing system automatically discards the majority of the traffic that is carried across these bearers. The remainder – which GCHQ consider most likely to contain items of intelligence value – are collected (paragraphs 65–73).
The processing system then runs both automated and bespoke searches on these communications in order to draw out communications of intelligence value. By performing complex searches combining a number of criteria, the odds of a ‘false positive’ are considerably reduced. The system does not permit GCHQ analysts to search these communications freely (i.e. they cannot conduct fishing expeditions). The complex searches draw out only those items most likely to be of highest intelligence value. These search results – around *** items per day – are then presented to analysts in list form: it is only the communications on this list that analysts are able to open and read. They cannot open any communications which have not matched the complex searches. (This can be thought of as using a magnet to draw the needle out of a haystack instead of combing through the straw yourself.) Analysts then rank the communications on the list in order of intelligence value, in order to decide which ones to examine: they open and read only a very tiny percentage of the communications collected (around *** items per day) (paragraphs 76–77).
GCHQ’s bulk interception systems operate on a very small percentage (***%) of the bearers that make up the internet. It cannot therefore realistically be considered blanket interception.
There are nevertheless still vast numbers of communications travelling across these bearers (hence it is described as bulk interception). GCHQ therefore filter this traffic still further, resulting in the collection of only a fraction of the traffic that is carried by this small number of bearers: ***.
This collection is based on specific criteria and filters: GCHQ do not therefore conduct interception indiscriminately.
Further, GCHQ do not open and read all the communications they collect. Collection and examination are two separate processes: only a very tiny percentage (***%) of the communications that GCHQ collect are ever opened and read by an analyst.
In practice, this means that fewer than *** of *** per cent of the items that transit the internet in one day are ever selected to be read by a GCHQ analyst, and these have gone through several stages of targeting, filtering and searching so that they are believed to be the ones of the very highest intelligence value.
Are GCHQ reading the communications of people in the UK?
We address this point in some detail, and provide examples, in paragraphs 105–115. However, in summary:
  • Communications between people in the UK are classed as internal communications: they can therefore only be searched for, examined and read through targeted interception, which requires the authority of an 8(1) warrant signed by a Secretary of State which names the individual being targeted. 
  • GCHQ are authorised to collect ‘external’ communications (where at least one end is outside the UK) under the broader authority of an 8(4) warrant signed by a Secretary of State. Of these, they are then authorised to search for and select communications to examine on the basis of a selector (such as an email address) of an individual overseas – provided that their reason for doing so is one or more of the categories described in the Certificate that accompanies the 8(4) warrant. 
  • Crucially, GCHQ can only search for and select communications to examine on the basis of a selector of an individual in the UK if – and only if – they first obtain separate additional authorisation from a Secretary of State which names that individual. It is unlawful for them to search for and examine the communications of someone in the UK without that additional targeted authorisation.
Do they need to intercept these communications?
While we are reassured that bulk interception is tightly drawn, it is nevertheless an intrusive capability. It is therefore essential that it is for a legal purpose, but also that it is necessary and proportionate. We have examined cases which demonstrate that this capability has been used to find communications indicating involvement in threats to national security. Bulk interception has exposed previously unknown threats or plots which threatened our security that would not otherwise have been detected (paragraphs 78–90). While we recognise privacy concerns about bulk interception as a matter of principle, we do not subscribe to the point of view voiced by some of our witnesses that it is preferable to let some terrorist attacks happen rather than to allow any form of bulk interception. It is right that the Agencies have this capability: what is important is that it is tightly controlled and subject to proper safeguards.
Is it properly controlled and regulated?
GCHQ must operate within the existing legal framework. Equally important is whether the existing legal framework is appropriate, particularly given changing technology and expectations about privacy. We have made a number of substantial recommendations for immediate improvements to the existing system of authorisation and oversight – we also recommend a more thorough overhaul of the legislation which we set out below. These short-term changes are broadly to address: the need for greater transparency; a more streamlined, simpler process; greater safeguards in relation to British citizens overseas, and for individuals who work in ‘sensitive’ professions that require privacy for their work; and increased oversight by the Interception of Communications Commissioner (we have recommended an increased role for both the Interception of Communications Commissioner and the Intelligence Services Commissioner in a number of areas covered by this Report).
Communications Data
While much of the recent controversy has focused on GCHQ’s interception of emails, there has also been concern over the use the Agencies make of Communications Data (CD). This encompasses the details about a communication – the ‘who, when and where’ – but not the content of what was said or written. CD is a critical capability for the Agencies: it is used to develop leads, focus on those who pose a threat and illuminate networks. However, concerns have been raised as to whether the distinction between data and content is still meaningful, and also whether changes in technology mean that CD is now just as intrusive as content. xiii. In our opinion the definition of CD used in RIPA is narrowly drawn and, while the volume of CD available has made it possible to build a richer picture of an individual, this remains considerably less intrusive than content. It does not therefore require the same safeguards as content does. However, we have found this debate to be complicated by the confusion as to what information is categorised as CD and what is treated as content – particularly in relation to internet communications and web browsing histories (paragraphs 136–143).
It is essential to be clear what constitutes CD. In particular, there is a ‘grey’ area of material which is not content, but neither does it appear to fit within the narrow ‘who, when and where’ of a communication, for example information such as web domains visited or the locational tracking information in a smartphone. This information, while not content, nevertheless has the potential to reveal a great deal about a person’s private life – his or her habits, tastes and preferences – and there are therefore legitimate concerns as to how that material is protected.
We have therefore recommended that this latter type of information should be treated as a separate category which we call ‘Communications Data Plus’. This should attract greater safeguards than the narrowly drawn category of Communications Data.
Other intrusive capabilities
We have also examined a number of other intrusive capabilities that are used by the Agencies (paragraphs 151–193). These include both the explicit capabilities defined in RIPA (such as the use of surveillance and the use of agents), and those capabilities that are implicitly authorised through general provisions in the Security Service Act 1989 and the Intelligence Services Act 1994 (such as the use of IT Operations against targets overseas and the acquisition of Bulk Personal Datasets). Our Report contains a number of detailed recommendations, primarily in relation to: greater transparency, to the extent that this is possible without damaging national security; and specific statutory oversight by either the Intelligence Services Commissioner or the Interception of Communications Commissioner in those areas where oversight is currently undertaken on a non-statutory basis.
Authorisation of intrusive action
The Agencies’ most intrusive capabilities are authorised by a warrant or other authorisation signed by a Secretary of State, with officials authorising those capabilities considered to be less intrusive. The primary question we have considered in this area is whether Ministers or judges should sign warrants for intrusive activity. We recognise the concerns put to us by some witnesses about public trust. However, the deciding factor for us is that while both Ministers and judges can assess legal compliance, Ministers can then apply an additional test in terms of the diplomatic and political context and the wider public interest. This additional test would be lost if responsibility were transferred to judges and might result in more warrant applications being authorised. Furthermore, judges are not held accountable, or asked to justify their decisions to Parliament and the public, as Minsters are. It is therefore right that responsibility for authorising warrants for intrusive activity remains with Ministers (paragraphs 194–203).
The legislative framework
There is no one piece of legislation that governs what the intelligence and security Agencies can and cannot do: broadly, the Security Service Act 1989 and the Intelligence Services Act 1994 provide the legal basis for the Agencies’ activities, but that is subject to the overarching requirements of the Human Rights Act 1998, and further constraints on certain of those activities as set out in a number of other pieces of legislation (for example, the Regulation of Investigatory Powers Act 2000). This is not just opaque, it is unnecessarily complicated. Further, it is inappropriate that many key capabilities – for example, the exchange of intelligence with international partners – are implicitly authorised rather than formally defined in statute (paragraphs 220–275).
The Committee has serious concerns about the adequacy of the current legislative framework governing and constraining the Agencies’ activities. We have seen no evidence that the Agencies are seeking to circumvent the law: in fact, the care and attention given to complying with the law within the Agencies is highly commendable. But the lack of clarity in the existing laws, and the lack of transparent policies beneath them, has not only fuelled suspicion and allegations but has also meant that the Agencies could be open to challenge for failing to meet their human rights obligations due to a lack of ‘foreseeability’. The adequacy of the legal framework and the greater need for transparency have been at the forefront of this Inquiry throughout.
While the Committee has concluded that the legal framework governing the Agencies’ use of intrusive powers requires greater transparency, this is a political view rather than a legal judgment. The narrower question as to whether the legislation and Agencies’ policies adequately meet the legal requirement for ‘foreseeability’ under the European Convention on Human Rights is, rightly, a matter for the Investigatory Powers Tribunal (IPT) and the European Court of Human Rights. In this respect, we note the recent IPT judgments on this issue on 5 December 2014 and 6 February 2015. Nevertheless, whatever decision the courts may reach in relation to compliance with the legal requirements of the Convention, we consider that additional improvements can and should be made as a matter of good practice.
While we have made specific recommendations in relation to specific capabilities throughout this Report, these are only short-term solutions: such reforms and improvements around the edges of the existing legislation are not sufficient in the long term. Rather than reforming RIPA, as some have suggested, we consider that the entire legal framework governing the intelligence and security Agencies needs replacing.
The purposes, functions, capabilities and obligations of the Agencies should be clearly set out in a new single Act of Parliament. This should be distinct from legislation covering law enforcement and other bodies currently covered by RIPA: the purpose, scale and use of intrusive activities conducted by the intelligence Agencies are not the same as those conducted by the police or local authorities.
We have set out the key principles which must underpin this new legal framework in detail. These are based on explicit avowed capabilities, together with the privacy constraints, transparency requirements, targeting criteria, sharing arrangements and other safeguards that apply to the use of those capabilities.
These changes are overdue.
Not only is there a legal requirement of ‘foreseeability’ to ensure compliance with human rights law, there is also a legitimate public expectation of openness and transparency in today’s society and, while the Agencies require secrecy in order to conduct much of their work, the Government must make every effort to ensure that as much information as possible is placed in the public domain. This is essential to improve public understanding and retain confidence in the work of the intelligence and security Agencies.
In its recommendations the Committee states
The Committee considers that the Government should introduce a new Intelligence Services Bill setting out, in one Act of Parliament, the functions of the three UK intelligence and security Agencies. This should consolidate the intelligence and security related provisions of the following legislation:
  • Security Service Act 1989
  • Intelligence Services Act 1994
  • Regulation of Investigatory Powers Act 2000
  • Wireless Telegraphy Act 2006
  • Telecommunications Act 1984
  • Counter-Terrorism Act 2008; and 
  • the relevant provisions of other legislation as appropriate.
The new legislation should clearly list each intrusive capability available to the Agencies (including those powers which are currently authorised under the implicit authorities contained in the Intelligence Services Act and the Security Service Act) and, for each, specify:
a. The purposes for which the intrusive power can be used (one or more of: the protection of national security, the safeguarding of the economic well-being of the UK, or the detection or prevention of serious crime).
b. The overarching human rights obligations which constrain its use.
c. Whether the capability may be used in pursuit of a specific person, location or target, or in relation to a wider search to discover unknown threats.
d. The authorisation procedures that must be followed, including the review, inspection and oversight regime.
e. Specific safeguards for certain individuals or categories of information – for example, UK nationals, legally privileged information, medical information etc. (This should include incidental collection where it could not reasonably have been foreseen that these categories of information or individuals might be affected.)
f. Retention periods, storage and destruction arrangements for any information obtained.
g. The circumstances (including the constraints that might apply) in which any intelligence obtained from that capability may be shared with intelligence, law enforcement or other bodies in the UK, or with overseas partners.
h. The offence which would be committed by Agency personnel abusing that capability.
i. The transparency and reporting requirements.
In terms of the authorisation procedure, the following principles should apply:
a. The most intrusive activities must always be authorised by a Secretary of State.
b. When considering whether to authorise the activity, the Secretary of State must take into account, first, legal compliance and, if this is met, then the wider public interest.
c. All authorisations must include a summary of the expected collateral intrusion, including an estimate of the numbers of innocent people who may be impacted, and the extent to which the privacy of those innocent people will be intruded upon.
d. Any capability or operation which would result in significant collateral intrusion must be authorised by a Secretary of State.
e. All authorisations must be time limited (usually for no longer than six months).
f. Where an authorisation covers classes of activity conducted overseas, this must include the requirements for recording individual operations conducted under those authorisations, and the criteria for seeking separate Ministerial approval.
g. Where intelligence is sought from overseas partners, the same authorisation must be obtained as if the intrusive activity was undertaken by the UK Agency itself.
h. Where unsolicited material is received, the circumstances in which it may be temporarily held and assessed, and the arrangements for obtaining retrospective authority (or where authority is not given, destruction of the material) must be explicitly defined.
In relation to communications, given the controversy and confusion around access to Communications Data, we believe that the legislation should clearly define the following terms:
– ‘Communications Data’ should be restricted to basic information about a communication, rather than data which would reveal a person’s habits, preferences or lifestyle choices. This should be limited to basic information such as identifiers (email address, telephone number, username, IP address), dates, times, approximate location, and subscriber information.
– ‘Communications Data Plus’ would include a more detailed class of information which could reveal private information about a person’s habits, preferences or lifestyle choices, such as websites visited. Such data is more intrusive and therefore should attract greater safeguards.
– ‘Content-Derived Information’ would include all information which the Agencies are able to generate from a communication by analysing or processing the content. This would continue to be treated as content in the legislation.
The Committee has identified a number of areas where we believe there is scope for the Government to be more transparent about the work of the Agencies. The first step – as previously set out – is to consolidate the relevant legislation and avow all of the Agencies’ intrusive capabilities. This will, in itself, be a significant step towards greater transparency. Where it is not practicable to specify the detail of certain arrangements in legislation, the Government must nevertheless publish information as to how these arrangements will work (for example, in Codes of Practice). We recognise that much of the detail regarding the Agencies’ capabilities must be kept secret. There is, however, a great deal that can be discussed publicly and we believe that the time has come for much greater openness and transparency regarding the Agencies’ work.