What Snowden "revealed"
In June 2013, the Guardian and the Washington Post ran stories based on information leaked by Edward Snowden. These revealed the existence (since publicly confirmed) of two vast data-gathering projects in the US:
- Prism, which collects information from technology companies
- "Upstream collection” programmes, which intercept telephone and internet traffic from major internet cables and switches
The stories also alleged the existence of a programme, Tempora, under which GCHQ had reportedly been intercepting fibre-optic cables carrying internet traffic in and out of the UK.
Spotlight on oversight
The UK Government (in accordance with long-standing policy) neither confirms nor denies Tempora’s existence. But this has not stopped some intensive scrutiny by statutory oversight bodies and others.
Shortly after the Snowden revelations, the Intelligence and Security Committee issued an early statement concluding that allegations that GCHQ had acted illegally by accessing the content of private communications via the Prism programme were “unfounded”.
It also conducted an inquiry into the intelligence agencies’ intrusive capabilities which reported in March 2015. This concluded that the existing legal framework governing these capabilities was unnecessarily complicated, and recommended that it be replaced with a new Act of Parliament.
Two judgments from the Investigatory Powers Tribunal (IPT), issued in December 2014 and February 2015, examined the extent to which "assumed activities" by the intelligence services were compatible with Articles 8 and 10 of the European Convention on Human Rights (the rights to private and family life, and to freedom of expression).
The first judgment found that they were, at least since the authorities made information public during the litigation about certain safeguards in the system. However, it left open the question of whether the regime was compatible with the Convention before those disclosures.
This question was addressed in the second judgment. The IPT declared that up until December 2014, the regime had been incompatible with the Convention because there was not sufficient information about the safeguards in the public domain.
This was hailed as a victory by the organisations that had brought the case. Those organisations have filed an appeal with the European Court of Human Rights against the earlier judgement. GCHQ acknowledged that the IPT had found against it “in one small respect”, but stressed that the safeguards themselves were “fully adequate”.
Needles and haystacks
The essential problem is that by the time the intelligence services have suspicions about an individual, much of the online plotting may have already taken place.
The usual metaphor is that they may need to gather a "haystack" of communications data (the “who, when and where” of a communication - see margin) in advance, so that when necessary they can undertake targeted searches to search for a "needle" of information they need (the content of communications between suspects, for example).
As evidence to the Intelligence and Security Committee has shown, there is a fundamental clash between those who believe that the bulk collection of communications data represents an unacceptable intrusion, and those who are content for this to happen so long as there are suitable safeguards on how it can be searched and the content of communications accessed.
The previous Government stated that communications data has been used in every major security service counter-terrorism investigation over the last decade.
Who gathers the haystack, and what should it include?
Whilst the Snowden revelations concerned the intelligence services’ own data-gathering activities, there has also been controversy about the data that private companies, particularly communications firms, are expected to keep about their customers.
Regulations under the 2006 EC Data Retention directive required public communications providers to keep communications data on internet access, internet telephony, email, and fixed-line and mobile telephony data.
In April 2014, the European Court of Justice declared the Directive invalid on the grounds that it entailed “a wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data”.
Three months later, the previous Government introduced emergency legislation that, among other things, sought to re-enact some of the mandatory data retention provisions, while addressing the ECJ judgement “where possible”.
The resulting Data Retention and Investigatory Powers Act 2014 (DRIP) has a sunset clause, which means it will expire at the end of 2016.
Another piece of emergency legislation, the Counter-Terrorism and Security Act 2015, will require communications service providers to keep data that would allow authorities to track the individual or device that was using a particular internet protocol (IP) address at any given time.
More controversial was the draft Communications Data Bill or “snoopers’ charter”, which the Liberal Democrats opposed. The Bill would have required communications companies to keep records for at least a year of every website visited by a subscriber.
The New Parliament
In addition to the recommendations of the March 2015 ISC report, at least two reviews (by David Anderson QC, the independent reviewer of terrorism legislation, who reported to the Prime Minister on 6 May 2015, and by a panel convened by the Royal United Services Institute) will feed into the debate in the new Parliament on the extent and oversight of the intelligence services’ intrusive capabilities.
The Conservative manifesto said they will introduce new communications data legislation but will “continue to strengthen safeguards”.
What is communications data and content, and how is GCHQ allowed to access it?
Communications data covers the “who, when and where” of a communication, but not the content. It can include, for example, the address and identity of the sender and recipient(s) and the IP address of any computers used.
Communications between people in the UK are classed as “internal”. If the intelligence agencies want to search for them and read the content, they have to apply for a warrant under section 8(1) of the Regulation of Investigatory Powers Act 2000. This must name the individual or premises concerned.
GCHQ can collect “external” communications data (where at least one party is overseas) in bulk under a section 8(4) warrant. It can then search for and select communications to examine using a selector (e.g. an email address) of an individual who is overseas, providing the Secretary of State has certified this as necessary for statutory purposes (such as national security).
If GCHQ wants to search for and select “external” communications to examine based on a selector of an individual in the UK, they must get additional authorisation from a Secretary of State which names that person.
The Secretary of State cannot issue section 8(1) or section 8(4) warrants unless they believe it is both necessary and proportionate.
The March 2015 Intelligence and Security Committee report identified a “grey” category – “communications data plus" – which could reveal important details about a person’s private life. They recommended that this should attract greater safeguards than ‘ordinary’ communications data.
- Conservatives: introduce new communications data legislation
- Labour: strengthen oversight of intelligence agencies
- Liberal Democrats: introduce legislation that the police and intelligence agencies do not obtain data on UK residents of foreign Governments that would not be legal to obtain in the UK under UK law
- UKIP: create a new over-arching role of Director of National Intelligence