The ISC’s post-Snowden report: not that much of a landmark after all

This week saw what has been described as “a landmark report prompted by the revelations of Edward Snowden”. It was issued by the British parliament’s intelligence and security committee (ISC), following an 18-months inquiry.

While the report has been hailed by some because it finds that the legal framework that regulates the work of the British intelligence agencies is “unnecessarily complicated and – crucially – almost impenetrable”, allowing “[t]he current laws [to] be construed as providing the agencies with a “blank cheque to carry out whatever actives they deem necessary”,” it also – equally crucially –

finds that existing laws are not being broken by the agencies and insists the bulk collection of data by the government does not amount to mass surveillance or a threat to individual privacy.

Misleading definitions

The latter finding is more than a little misleading. That is because the ISC understands mass surveillance to mean that any records that are being stored have to be read by a human for the practice to be counted as surveillance. Therefore, “as most of the material GCHQ collects is never looked at by its staff, this cannot be said to be mass surveillance.”

Not only is this definition of surveillance – which is shared by the NSA – far from uncontested. What is more, while “[t]he ISC report notes on several occasions that GCHQ stores only a small percentage of what it intercepts (the exact figure is redacted)”, this doesn’t take into account the fact

a huge portion of traffic [the GCHQ] intercepts is peer-to-peer file sharing, and video streaming. These large files are of no value to the agency, and so are filtered out of its intercepts. That means the agency could be storing every bit of (say) email traffic that crosses its sensors, but still say it is not retaining the vast majority of what it intercepts.

We have come across this kind of semantics many times before:

1.) bulk collection and mass data retention aren’t mass surveillance as long as no human looks at the data (never minding the fact that just because no one is looking at it now that doesn’t mean they won’t be looking at it later).

2.) the majority of content is filtered out (a claim that may be more than a little disingenuous because the kind of content that is of little value to the agencies are files of huge sizes, as compared the kind of content the agencies are interested in, which is much smaller in size. Thus when the agencies claim that they filter out the majority of content, what they might actually be talking about is mass in terms of file size, not mass in terms of revelatory records.)

It is therefore important to bear in mind that

the simple fact of your communications or internet activity being stored gives the potential for it to be accessed, deliberately or accidentally, properly or not (some intelligence staff have lost their jobs for improperly accessing personal data, the report reveals).

The fact that some intelligence staff have lost their jobs for improperly accessing personal data is more worrying than the ISC – which maintains that there were only “a small number of” incidents – lets on. It shows the potential for abuse and makes another of the report’s findings all the more worrying:

In the single most important revelation, the report reveals for the first time that the agencies have had the capability to trawl through personal records and form and examine “bulk personal datasets” without any statutory oversight (my emphasis).


Bulk personal datasets, no statutory oversight

Now, “bulk personal datasets” may sound a bit obscure so here is what they are:

datasets containing personal information about a wide range of people [which] vary in size from hundreds to millions of records…there is no legal constraint on storage, restraint, retention, sharing and destruction.

Someone correct me if I’m wrong but what I understand this to mean is that there is potentially a whole load of personal data, up to millions of records on some people, with no legal constraint on how that data is stored, kept, shared or destroyed. So, potentially huge stacks of personal data have been collected on some or all of us and there is no legal framework making sure that the data doesn’t get stored indefinitely or shared with third parties (which we know has been happening and was previously ruled unlawful). What is even more concerning – this is where the oversight bit comes in – is that “[s]urveillance agencies do not require ministerial authorisation to access the information.” So not only could the agencies store everything, they could also access it without authorisation from a minister (or judge) if they so wished.

While the report doesn’t reveal the nature of the information stored in these datasets, they have been likened to a telephone directory of “people in a certain category of interest to the agencies.” This may sound reassuringly exclusive but it probably isn’t:

Firstly, the idea of a phone directory

gives a hint as to what these datasets are likely to be: information collected by private companies and resold to the government. Such information could potentially cover… credit ratings information, or information from social networking apps. It could also include information like address history (to see who used to live together) or phone number history.

To take the telephone directory metaphor further, your name and phone number can potentially tell the agencies a lot about you, if the spooks connected that data to other records. Put together, different sets of metadata could paint quite a detailed picture of who you are and who you associate with. This is particularly troubling when you consider that “the call records of UK citizens can be accessed without individual warrants.”

Secondly, “people in a certain category of interest to the agencies” is incredibly vague. When does a person become a person of interest? Does this include, for example, anti-fracking protesters, people who attend certain political rallies, people who attend cryptoparties? It’s been known to happen.


Metadata: much more intrusive than the ICS concedes

Speaking of the much-discussed metadata: the ISC considers metadata access much less intrusive than content and therefore argues that it “needs fewer safeguards to collect”. However, whether or not accessing records of your entire call history – how often you called someone, when and for how long – is less intrusive or telling than listening to the content of individual calls is open to discussion.

An example: your phone records could show that you made a call to your gynaecologist, then several calls to your boyfriend a couple of days later and then a call to an abortion clinic. Far from being less intrusive, this could give people a pretty good idea about what the content of your individual calls might have been – and possibly also allow a good guess at the status of your relationship.

Interestingly, the ISC makes a distinction between what is calls “regular” as opposed to “irregular” metadata. Irregular metadata, such as “your exact location, internet history, or even passwords”, the ISC concedes, “has the “potential to reveal a great deal about a person’s private life”.” As such, the ISC recommends that is should be called “communications data plus” and have additional safeguards versus regular metadata.” At least that concession is “a stark contrast to the views of the intelligence agency bosses” and the ISC recommends “new privacy constraints on the communications data that goes beyond the narrow definition of “what, when, where of communications”, such as web domains visited or location tracking information in a smartphone.” However, Paul Bernal raises some crucial points about the ICS’s understanding (or lack thereof) of the value of metadata to the GCHQ that are worth reading. As is his entire blog post on the subject.
Internal vs external communications: a meaningless distinction

One of the most bewildering aspects of the data collection and retention debate has been the much-contested distinction between “internal” and “external” communications. This is important because foreign intelligence agencies aren’t allowed to access the “internal” communications of the country they operate in, while domestic intelligence agencies need warrants to do so. Hence, someone in the UK making a phone call to someone else in the UK would be protected from GCHQ surveillance, while MI5 and MI6 would need to obtain a warrant to access the communications. In the internet age, the distinction between these two types of comms isn’t as clear-cut, however, and thus allows for the exploitations of various legal loopholes: if someone in the UK chats to someone else in the UK via Facebook, that communication takes place on a Facebook server that is located somewhere in the US and could therefore be classed as external. The ISC itself concedes that the distinction between external and internal communications has been rendered meaningless.

This is especially interesting when considering that while the ISC report states that the communications of someone in the UK cannot be searched for (within all those communications that the spooks have stored) without a warrant, it doesn’t say that these cannot be read without a warrant. What this means is that if you in the UK spoke to your friend in Germany, your end of the communication could not be searched for by the GCHQ but your friend’s could. The spooks could get at your communications through your friend and – because no warrant is required to read them – peruse them at their leisure.

Hence, one of the report’s recommendations is that

the communications of UK nationals abroad should receive the same level of protection under the law irrespective of where the person is located. The interception and communication of data should be authorised through an individual warrant signed by a secretary of state.

What this requirement doesn’t address is the question of what happens when a UK national in the UK communicates with a non-UK national outside of the UK who wouldn’t be covered by that level of protection. Back we are to a loophole.


Edward Snowden “not helpful” according to the ISC

The ISC’s view on Edward Snowden – without whom a review of these practices would not have taken place – is noteworthy:

The committee would take the view that stealing classified information and releasing it across the world is not helpful. But this report is not about Edward Snowden.

Given that the committee has just concluded an 18-month inquiry into the practices of the UK’s intelligence agencies and found the legislation governing these practices in dire need of reform and grounds for “serious concern”, the idea that Snowden has been unhelpful by making people across the globe aware of what the NSA, the GCHQ and others like them are doing seems bizarre.


Don’t get too excited: it’s not as “hallmark” as all that

The call for an overhaul of a “piecemeal and… unnecessarily complicated” legal framework and greater transparency is indeed important and the ISC’s demand that all “capabilities which provide the content of an individual’s communications should be subject to the same legal safeguards” (i.e. justified as legal, necessary and proportionate and subject to a ministerial warrant) is somewhat promising (even though some ministers, like Philip Hammond, do not seem to quite understand what exactly it is, they are signing warrants for).

Yet, the ISC’s “lengthy defence of the bulk collection of data”, its finding that “all the surveillance activities of the intelligence agencies are lawful and proportionate” and its conclusion that bulk collection “does not amount to mass surveillance since the agencies have neither the resources nor desire to examine all the information they gather” means that we cannot get too excited about the report either – as many civil liberties and civil rights activists who have criticised both the report and the ISC have pointed out.

The Guardian’s Alan Travis takes issue with the fact that

[i]t is hard to believe reading the ISC report that in the past few weeks GCHQ has twice been found to have been acting unlawfully for the past seven years for failing to disclose the human rights safeguards it employs in its bulk data collection programmes.

In parts, the report indeed does make it seem as if privacy was perceived as little more than “a technicality”.

Personally, I find it concerning that the ISC finds that “[t]he disruption of terror attacks trumps privacy concerns when it comes to bulk interception”. Not only does this continue the scaremongering we have seen so much of over the past years and months but also is there little evidence that bulk collection and mass data retention are effective tools for preventing terrorist attacks.

The ISC’s statement that “[w]hile we recognise privacy concerns about bulk interception, we do not subscribe to the point of view that it is acceptable to let some terrorist attacks happen in order to uphold the individual right to privacy – nor do we believe that the vast majority of the British public would” is disingenuous not only because of the lack of evidence that bulk collection stops terrorists but also because the British public, effectively, hasn’t been asked.

It shall be interesting to see how substantial legislative reforms will be in the time to come and whether a “a serious and sustainable framework” that – crucially – includes “a “shield law” for journalists” that will allow them “to protect their sources, materials and communications” will be achieved, or if the ISC report has indeed paved the way for the Snooper’s Charter.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s