As Techdirt has noted previously, the UK body nominally responsible for overseeing the intelligence services, the Intelligence and Security Committee of Parliament (ISC), does little more than rubber-stamp what has taken place. The new ISC report "Privacy and Security: A modern and transparent legal framework" (pdf) is more of the same. Here is its own summary of the findings:
The UK's intelligence and security Agencies do not seek to circumvent the law.
And that's it: basically, the ISC is saying that all that is needed is a bit of a legal tidying-up. In terms of more detailed recommendations, the report suggests that the abuse of interception powers should be made a criminal offense -- currently it isn't -- and that a new category of metadata called "Communications Data Plus", which includes things like Web addresses, needs slightly greater protection than "traditional" telephone metadata.
However, the legal framework is unnecessarily complicated and -- crucially -- lacks transparency.
Our key recommendation therefore is that all the current legislation governing the intrusive capabilities of the security and intelligence Agencies be replaced by a new, single Act of Parliament.
The heart of the report's failure can be found in its discussion of bulk surveillance:
Our Inquiry has shown that the Agencies do not have the legal authority, the resources, the technical capability, or the desire to intercept every communication of British citizens, or of the internet as a whole: GCHQ are not reading the emails of everyone in the UK.
But of course, nobody said GCHQ was doing that. The problem is that it is ingesting disproportionate quantities of the Internet's traffic passing into and out of the UK, and then analyzing it -- in other words, engaging in indiscriminate mass surveillance. The report pretends to address that issue, writing:
GCHQ's bulk interception systems operate on a very small percentage of the bearers that make up the internet.
A "bearer" refers to one of the main connections to the Internet -- typically fiber-optic cables capable of carrying many gigabits of information per second. The issue is not how many such bearers GCHQ taps, but which ones. One of Snowden's earliest and most important leaked documents suggests that spying on even a "very small percentage" of the bearers gives GCHQ almost total oversight of everyone's Internet activities. Moreover, the following does not help:
We are satisfied that they apply levels of filtering and selection such that only a certain amount of the material on those bearers is collected. Further targeted searches ensure that only those items believed to be of the highest intelligence value are ever presented for analysts to examine: therefore only a tiny fraction of those collected are ever seen by human eyes.
Targeted searches can be re-directed at any moment, giving GCHQ's "human eyes" access to anything they want. It is that potential for anything that is done online in the UK to be snooped upon that is problematic.
To see why, consider a parallel universe where CCTV cameras were installed in every room in every building in the country, but all on the understanding that only a "tiny fraction" of the videos collected would ever be seen by human eyes. Since there is no way of knowing whether the footage from the CCTVs currently recording you will be looked at, you may well constrain your activities in case they are. That same logic applies to gathering most UK Internet activity -- the only reason we don't see the chilling effects yet is that most people are unaware of what is happening.
Perhaps the UK public takes at face value assurances that only "external communications" are collected and analyzed. But the ISC report confirms for the first time that UK citizens using leading Internet services like Gmail or Facebook do indeed count as "external", and are therefore fair game:
This appeared to indicate that all internet communications would be treated as 'external' communications under RIPA -- apart from an increasingly tiny proportion that are between people in the UK, using devices or services based only in the UK, and which only travel across network infrastructure in the UK.
The ISC report tries to justify this bulk collection of everyone's data on the grounds that targeted surveillance is not enough:
It is essential that the Agencies can 'discover' unknown threats. This is not just about identifying individuals who are responsible for threats, it is about finding those threats in the first place. Targeted techniques only work on 'known' threats: bulk techniques (which themselves involve a degree of filtering and targeting) are essential if the Agencies are to discover those threats.
Leaving aside the point that it is quite possible to discover unknown threats by working from existing intelligence -- in other words, using tried-and-tested techniques that have been successfully applied countless times in the past -- this ignores a key issue: that bulk collection is disproportionate given the threat it is supposed to address. This was a view expressed by one of the report's expert witnesses, Isabella Sankey, from the UK civil rights organization, Liberty. As she put it:
Some things might happen that could have been prevented if you took all of the most oppressive, restrictive and privacy-infringing measures. That is the price you pay to live in a free society.
The ISC did not agree:
While we recognise privacy concerns about bulk interception, we do not subscribe to the point of view that it is acceptable to let some terrorist attacks happen in order to uphold the individual right to privacy -- nor do we believe that the vast majority of the British public would.
But once you take that position, you justify all kinds of intrusive surveillance -- including installing CCTV cameras in every room in every building. After all, it is quite possible that doing so would stop a terrorist attack at some point, and so by the ISC's logic it is quite acceptable to require this massive intrusion into people's private lives. As for its claim that "the vast majority of the British public" would not view it as acceptable to allow some attacks to happen as the price of living in a free society, the ISC offers no proof of this, but evidently assumes that people in the UK have been reduced to such a quivering, fearful mass by the UK government's constant warnings about "terror" that they will happily hand over their freedom in the vain hope this will buy them safety.
Although depressing, it's hardly news that the UK government now considers pervasive surveillance to be justified and palatable, even. But the ISC report does contain one big surprise:
The Agencies use Bulk Personal Datasets -- large databases containing personal information about a wide range of people -- to identify individuals in the course of investigations, to establish links, and as a means of verifying information obtained through other sources. These datasets are an increasingly important investigative tool for the Agencies.
The report says that some of these databases contain "millions of records", and that they may be linked together. Even the generally accommodating ISC is worried:
Until the publication of this Report, the capability was not publicly acknowledged, and there had been no public or Parliamentary consideration of the related privacy considerations and safeguards.
Huge, secret databases, with access authorized internally, that can be used without restrictions, and for which there are no legal penalties if misused: this is clearly a recipe for disaster. Had it not been for Snowden's leaks, we would never have heard about this, since the ISC would not have been under any pressure to produce the current report. Even though it amounts to little more than a whitewash for the UK's intelligence agencies, it does reveal shocking new information that was not just unknown, but unsuspected.
The legislation does not set out any restrictions on the acquisition, storage, retention, sharing and destruction of Bulk Personal Datasets, and no legal penalties exist for misuse of this information.
Access to the datasets -- which may include significant quantities of personal information about British citizens -- is authorised internally within the Agencies without Ministerial approval.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+