from the so...-what-do-you-spies-think-we-should-do-about-all-this-spying? dept
New documents obtained by Privacy International as a result of its ongoing litigation over GCHQ bulk surveillance shows (yet again) there's really no such thing as "oversight" when it comes to spying. Owen Bowcott of The Guardian highlights conversations between GCHQ and its supposed oversight, in which the former talks the latter out of applying more restrictive guidelines from updated laws to its massive data intake. (
Unfortunately, Bowcott discusses the documents but does not link to them, and I have been unable to locate these at Privacy International's website. Found 'em.)
The letters were sent by Home Office legal advisers, GCHQ and Sir Swinton Thomas, who was the interception of communications commissioner. The organisation is now called the Interception of Communications Commissioner’s Office (IOCCO).
In May 2004, a Home Office legal adviser wrote to Thomas backing an MI5 proposal that collecting bulk data from communication service providers for its “database project” be authorised under section 94 of the 1984 Telecommunications Act because, at that stage, there were no human rights implications or breach of privacy concerns. Using that act would not require a notice to be put before parliament because it could be used secretively on the grounds that “disclosure of the direction would be against the interests of national security”.
Thomas briefly tried to act as an overseer, suggesting the GCHQ would be on firmer legal footing if it applied a more-updated law to its collection practices: the Regulatory of Investigatory Powers Act of 2000. Because this newer law contained more procedural safeguards and additional transparency requirements, GCHQ was obviously uninterested in applying this to its bulk collections.
The UK Home Office got involved at this point, claiming the newer law was not really a law at all, but collated stack of suggestions.
The Home Office responded, saying that, although Ripa might be engaged, it did not think that meant it must be used. The letter continued: “The only practical difference between the two sets of provisions is if [Ripa] were used, a new notice would need to be issued every month … involving a fresh consideration of the necessity and proportionality issues. This would not be the case under section 94 [of the Telecommunications Act].”
Yeah, why bother periodically reassessing "necessity and proportionality" of orders when you can issue one order and have it apply indefinitely? GCHQ also expressed its concern about using the new law, saying it wanted to keep all of its collections in one big pile, even if that meant intermingling minimized and unminimized data.
Its oversight reluctantly agreed.
Thomas backed down, replying that, “on reconsideration”, use of Ripa was not mandatory. He added: “I am also impressed by the considerable and, if possible to be avoided, inconvenience in following the [Ripa] procedure in the database procedures.”
And, just like that, any protections UK citizens might have gained from the 2000 version of RIPA were waved away in the interest of bulk collection convenience. This conversation every appearance of someone raising an issue in hopes of being talked out of it and expressing relief when this was accomplished. For UK citizens, this meant that GCHQ could collect both minimized data (anonymized by stripping of identifying info) and unminimized data and mix it all together in its storage, thereby nullifying the protective minimization methods.
It is, as Privacy International states, a "total failure" of oversight. There's no evidence that the Home Office or the IOCCO ever acted in an adversarial fashion. Both appear to have cut GCHQ as much slack as it needed to avoid having to adhere to an updated law written explicitly to regulate investigatory powers. Instead, they both allowed GCHQ to avail itself of lower legal requirements by applying a 20-year-old law -- one that could not have possibly anticipated the exponential surveillance growth in the intervening years -- to its post-2001 bulk surveillance.