Report Says UK Citizens Must Give Up Right To Privacy Because 'Terrorism', Reveals Huge Secret Government Databases

from the may-include-significant-quantities-of-personal-information dept

As Techdirt has noted previously, the UK body nominally responsible for overseeing the intelligence services, the Intelligence and Security Committee of Parliament (ISC), does little more than rubber-stamp what has taken place. The new ISC report "Privacy and Security: A modern and transparent legal framework" (pdf) is more of the same. Here is its own summary of the findings:

The UK's intelligence and security Agencies do not seek to circumvent the law.

However, the legal framework is unnecessarily complicated and -- crucially -- lacks transparency.

Our key recommendation therefore is that all the current legislation governing the intrusive capabilities of the security and intelligence Agencies be replaced by a new, single Act of Parliament.

And that's it: basically, the ISC is saying that all that is needed is a bit of a legal tidying-up. In terms of more detailed recommendations, the report suggests that the abuse of interception powers should be made a criminal offense -- currently it isn't -- and that a new category of metadata called "Communications Data Plus", which includes things like Web addresses, needs slightly greater protection than "traditional" telephone metadata.

The heart of the report's failure can be found in its discussion of bulk surveillance:

Our Inquiry has shown that the Agencies do not have the legal authority, the resources, the technical capability, or the desire to intercept every communication of British citizens, or of the internet as a whole: GCHQ are not reading the emails of everyone in the UK.

But of course, nobody said GCHQ was doing that. The problem is that it is ingesting disproportionate quantities of the Internet's traffic passing into and out of the UK, and then analyzing it -- in other words, engaging in indiscriminate mass surveillance. The report pretends to address that issue, writing:

GCHQ's bulk interception systems operate on a very small percentage of the bearers that make up the internet.

A "bearer" refers to one of the main connections to the Internet -- typically fiber-optic cables capable of carrying many gigabits of information per second. The issue is not how many such bearers GCHQ taps, but which ones. One of Snowden's earliest and most important leaked documents suggests that spying on even a "very small percentage" of the bearers gives GCHQ almost total oversight of everyone's Internet activities. Moreover, the following does not help:

We are satisfied that they apply levels of filtering and selection such that only a certain amount of the material on those bearers is collected. Further targeted searches ensure that only those items believed to be of the highest intelligence value are ever presented for analysts to examine: therefore only a tiny fraction of those collected are ever seen by human eyes.

Targeted searches can be re-directed at any moment, giving GCHQ's "human eyes" access to anything they want. It is that potential for anything that is done online in the UK to be snooped upon that is problematic.

To see why, consider a parallel universe where CCTV cameras were installed in every room in every building in the country, but all on the understanding that only a "tiny fraction" of the videos collected would ever be seen by human eyes. Since there is no way of knowing whether the footage from the CCTVs currently recording you will be looked at, you may well constrain your activities in case they are. That same logic applies to gathering most UK Internet activity -- the only reason we don't see the chilling effects yet is that most people are unaware of what is happening.

Perhaps the UK public takes at face value assurances that only "external communications" are collected and analyzed. But the ISC report confirms for the first time that UK citizens using leading Internet services like Gmail or Facebook do indeed count as "external", and are therefore fair game:

This appeared to indicate that all internet communications would be treated as 'external' communications under RIPA -- apart from an increasingly tiny proportion that are between people in the UK, using devices or services based only in the UK, and which only travel across network infrastructure in the UK.

The ISC report tries to justify this bulk collection of everyone's data on the grounds that targeted surveillance is not enough:

It is essential that the Agencies can 'discover' unknown threats. This is not just about identifying individuals who are responsible for threats, it is about finding those threats in the first place. Targeted techniques only work on 'known' threats: bulk techniques (which themselves involve a degree of filtering and targeting) are essential if the Agencies are to discover those threats.

Leaving aside the point that it is quite possible to discover unknown threats by working from existing intelligence -- in other words, using tried-and-tested techniques that have been successfully applied countless times in the past -- this ignores a key issue: that bulk collection is disproportionate given the threat it is supposed to address. This was a view expressed by one of the report's expert witnesses, Isabella Sankey, from the UK civil rights organization, Liberty. As she put it:

Some things might happen that could have been prevented if you took all of the most oppressive, restrictive and privacy-infringing measures. That is the price you pay to live in a free society.

The ISC did not agree:

While we recognise privacy concerns about bulk interception, we do not subscribe to the point of view that it is acceptable to let some terrorist attacks happen in order to uphold the individual right to privacy -- nor do we believe that the vast majority of the British public would.

But once you take that position, you justify all kinds of intrusive surveillance -- including installing CCTV cameras in every room in every building. After all, it is quite possible that doing so would stop a terrorist attack at some point, and so by the ISC's logic it is quite acceptable to require this massive intrusion into people's private lives. As for its claim that "the vast majority of the British public" would not view it as acceptable to allow some attacks to happen as the price of living in a free society, the ISC offers no proof of this, but evidently assumes that people in the UK have been reduced to such a quivering, fearful mass by the UK government's constant warnings about "terror" that they will happily hand over their freedom in the vain hope this will buy them safety.

Although depressing, it's hardly news that the UK government now considers pervasive surveillance to be justified and palatable, even. But the ISC report does contain one big surprise:

The Agencies use Bulk Personal Datasets -- large databases containing personal information about a wide range of people -- to identify individuals in the course of investigations, to establish links, and as a means of verifying information obtained through other sources. These datasets are an increasingly important investigative tool for the Agencies.

The report says that some of these databases contain "millions of records", and that they may be linked together. Even the generally accommodating ISC is worried:

Until the publication of this Report, the capability was not publicly acknowledged, and there had been no public or Parliamentary consideration of the related privacy considerations and safeguards.

The legislation does not set out any restrictions on the acquisition, storage, retention, sharing and destruction of Bulk Personal Datasets, and no legal penalties exist for misuse of this information.

Access to the datasets -- which may include significant quantities of personal information about British citizens -- is authorised internally within the Agencies without Ministerial approval.

Huge, secret databases, with access authorized internally, that can be used without restrictions, and for which there are no legal penalties if misused: this is clearly a recipe for disaster. Had it not been for Snowden's leaks, we would never have heard about this, since the ISC would not have been under any pressure to produce the current report. Even though it amounts to little more than a whitewash for the UK's intelligence agencies, it does reveal shocking new information that was not just unknown, but unsuspected.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: gchq, isc, privacy, terrorism, uk

Head Of UK Parliamentary Committee Overseeing Intelligence Agencies Resigns After Being Caught In Sting

from the a-question-of-trust dept

The UK government's response to Snowden's leaks has been twofold: that everything is legal, and that everything is subject to rigorous scrutiny. We now know that the first of these is not true, and the second is hardly credible either, given that the UK's main intelligence watchdog has only one full-time member. There's one other main oversight body, the UK's Intelligence and Security Committee of Parliament (ISC), which is tasked with examining:

the policy, administration and expenditure of the Security Service, Secret Intelligence Service (SIS), and the Government Communications Headquarters (GCHQ).

The ISC was criticized as part of a larger condemnation of intelligence oversight by another UK Parliament committee. The head of the ISC, Sir Malcolm Rifkind, was reported by the Guardian as dismissing those criticisms as "old hat," as if that somehow made them acceptable. Rifkind has now been caught up in a rather more serious row, which involves reporters from the UK's Channel 4 and The Telegraph newspaper posing as representatives of a Chinese company:

PMR, a communications agency based in Hong Kong was set up, backed by a fictitious Chinese businessman. PMR has plenty of money to spend and wants to hire influential British politicians to join its advisory board and get a foothold in the UK and Europe.

Here's what Channel 4 and the Telegraph allege happened in their meeting with Rifkind:

Sir Malcolm also claimed he could write to a minister on behalf of our company without saying exactly who he was representing

Sir Malcolm added that he could see any foreign ambassador in London if he wanted, so could provide 'access' that is 'useful'

Rifkind said that he was "self-employed" -- in fact, he is a Member of Parliament, and receives a salary of £67,000 per year -- and that his normal fee was "somewhere in the region of £5,000 to £8,000" for half a day's work. There's no suggestion that Rifkind made any reference during the sting to his role as head of the ISC, but that's not really the point. He was offering a Chinese company access to influential people purely because he would get paid to do so, and that is surely not the kind of person you would want to grant the high-level security clearance Rifkind enjoys.

Then there is the question of what happens when Rifkind leaves Parliament: as Techdirt noted back in 2012, politicians can earn huge amounts of money by going to work as lobbyists, drawing on their contacts to ease the path for legislation or contracts or whatever. According to the disgraced lobbyist Jack Abramoff, merely letting politicians know that a job as lobbyist was waiting for them if they wanted it can be enough to shift their loyalties. That would be hugely troubling if it concerned someone occupying such a sensitive position as Rifkind.

After initially being suspended from the Conservative party, pending a disciplinary review, Rifkind has now resigned as chairman of the ISC, and announced that he will not be a candidate for re-election in the UK's general election later this year. He probably decided to fall on his sword in an attempt to spare the UK government further embarrassment, but his move will do little to bolster the dwindling credibility of the ISC, or the repeated claim that there are no problems with oversight of UK intelligence services.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: cash for access, corruption, intelligence and security committee, isc, malcolm rifkind, oversight, security service, surveillance, uk