Legal limbo where spies reside is beyond spooky

http://www.theguardian.com/world/2015/mar/12/legal-limbo-spies-reside-spook-intelligence-agencies

Version 0 of 1.

The discovery of a rogue spook at GCHQ is certainly the most eye-catching revelation in the latest report by the interception of communications commissioner. But it is not the most far reaching.

What we know is that someone on the staff of the government’s eavesdropping centre in Cheltenham deliberately carried out a number of unauthorised searches last year. He or she examined what’s called related communications data. These are the phone numbers or email addresses that are kept after the content of intercepted communications has been discarded.

We have not been told whether the individual was an intelligence analyst or some sort of communications specialist. But what we do know is that the unauthorised searches were picked up by GCHQ’s own internal security systems and the individual was immediately suspended. After a wideranging internal inquiry, the employee’s developed vetting status was withdrawn and he or she was sacked for gross misconduct.

The motive behind these unauthorised searches has not been disclosed but it’s not suggested that the individual was selling secrets or that the security breach was of the highest level. Even so, the commissioner, Sir Anthony May, described it as a very serious case.

Related: Handful of UK spies accessed private information inappropriately, ISC says

May, a retired appeal judge, pointed out that accessing GCHQ’s computers for an unauthorised purpose could amount to an offence under the Computer Misuse Act 1990, though he did not go so far as to say that a prosecution should have been brought. That may be because there is room for argument over whether the actions taken were “unauthorised”. And, of course, a criminal trial might have jeopardised the confidentiality of GCHQ’s operations.

This is the first known instance of deliberate abuse of GCHQ’s interception and communications data systems. But what’s telling about the incident is that GCHQ chose to disclose the incident to their oversight commissioner, rather than to announce it on the agency’s own website. May said in his report that there was more the intelligence agencies could do to inform the public about how they use their statutory powers.

The most far reaching disclosure in May’s report is that he has been asked by the prime minister to oversee what are called directions under section 94 of the Telecommunications Act 1984. The use of these shadowy powers has never before been the subject of any oversight regime. Under section 94, the home secretary and her counterparts may give directions to providers of public electronic communications networks.

Communications companies must comply with the directions and keep them confidential if told to do so. The secretary of state can give a direction only if she or he thinks it is necessary in the interests of national security or relations with a foreign country. These directions do not need to be published if the secretary of state thinks that disclosure would harm national security, foreign relations or commercial interests. Since none has been published, there was no official confirmation that they had ever been used.

So David Cameron’s decision to bring these directions under the oversight of the commissioner is the first public admission, or avowal, that the intelligence and security agencies use section 94 directions to obtain information from communications companies. Exactly how the directions are used is not known. But we can get some idea of the scale of their use from the fact that May has demanded extra staff — and possibly technical facilities — to oversee their use. He will consider whether the powers are being used in a way that is necessary, proportionate and subject to sufficient safeguards.

The commissioner will be examining directions on a non-statutory basis for the time being. But May wants this new system of oversight to be included in legislation after the general election. A new, comprehensive law has now been recommended by parliament’s intelligence and security committee, which said the current law is unnecessarily complicated and lacks transparency.

Related: UK surveillance laws need total overhaul, says landmark report

The committee raised concerns about the use of directions under the 1984 act but was unable to shed much light on them. The intelligence and security agencies told the committee that providing detailed information about the capabilities they have, derived from the 1984 act, “would be significantly damaging to national security”. Despite that, the committee said that the current arrangements under the Telecommunications Act “lack clarity and transparency, and must be reformed”. It added: “This capability must be clearly set out in law, including the safeguards governing its use and statutory oversight arrangements.”

Another source of intelligence that the committee wants to put on a statutory basis are bulk personal datasets. These are large databases containing personal information about a wide range of people. The agencies’ capability to obtain these databases has not previously been acknowledged and there has been no public or parliamentary consideration of privacy and safeguards. These databases vary in size from hundreds to millions of records. They may be obtained overtly or covertly. Keying in a single telephone number can produce all the information held about an individual. The databases are used by the security service to establish to establish links between individuals that that MI6 “might be able to exploit”.

However, the committee dismisses Edward Snowden’s allegations that GCHQ “hoovers up” and collects all internet communications. That was beyond the agency’s capability, the parliamentarians said. GCHQ’s bulk interception systems were used primarily for intelligence-gathering purposes (as opposed to targeted investigation of known threats or people).

Bulk interception is conducted on communications to or from the UK. It involves three stages of targeting, filtering and selection:

First, choosing which communications links, or bearers, to access: GCHQ’s systems operate on a very small percentage of the bearers that make up the internet.

Then, selecting which communications to collect from those links that are being accessed: GCHQ applies levels of filtering and selection such that only a fraction of the material on those bearers is collected.

Finally, deciding which of the communications collected should be read: further targeted searches ensure that only those items believed to be of the highest intelligence value are ever presented for analysts to examine. Only a very tiny percentage of those collected are ever seen by human eyes.

The committee insisted that this did not amount to blanket or indiscriminate surveillance. GCHQ did not have the legal authority, the technical capacity nor the resources to achieve this, it added.

There is likely to be widespread support for the “serious concerns” raised by the committee about the adequacy of current laws. The more we are told about the agencies’ powers, the more we find we do not know. The committee’s proposed new intelligence services bill is needed more than ever.