IT contractors not a risk despite Snowden leaks, GCHQ tells court

The government argues in the Investigatory Powers Tribunal that contractors with systems administration rights to computers holding GCHQ’s most sensitive intelligence pose no more of a security risk than the agency’s employees

The security risks of the intelligence services employing IT contractors, in the light of the leaks by Edward Snowden, are no greater than employing permanent staff, the government told Britain’s most secret court this week.

James Eadie, representing the government, told the Investigatory Powers Tribunal that contractors were subject to the same access controls to IT systems, and had the same levels of vetting as intelligence service's employees.

Eadie was responding to arguments from Privacy International that there had been no adequate independent oversight of contractors working at the intelligence agency.

Several thousand contractors, employed by GCHQ’s industry partners work on GCHQ’s premises in Cheltenham and elsewhere, and use GCHQ IT equipment, according to evidence presented by GCHQ’s former director of mission policy.

Around 100 have systems administrator rights to IT systems containing highly sensitive data on individuals, held in bulk personal datasets.

“Our position is there is no material difference between employees and contractors,” Eadie told the court on the second day of a two-day hearing into the legality of GCHQ's use of bulk surveillance powers. “We don’t accept that there is a greater risk from contractors as a basic factual proposition.”

Reports by the Intelligence Services Commissioner in 2014 and 2015 showed that contractors at MI5 had committed serious breaches by making queries on data bases containing highly sensitive bulk data with no proper business justification.

What the law requires

Section 9(1) to 2(a) of the Telecommunications Act 1984 requires the secretary of state to:

  • Personally consult with the people affected by a section 94 order
  • Give either a general or a specific section 94 direction
  • But only if the secretary of state the conduct required by the direction is proportionate to its aims

MI5 had responded by writing to the companies that employed the contractors “stressing the gravity of the issue” and expressing their “displeasure at the situation”, said a report by the intelligence services commissioner.

Eadie told the court this was not a case of “bad man wanting to steal information” as Snowden had done. “The tail piece is that they [MI5] did then take did take effective action. It is not difficult to see how effective sanctions could be taken by a company that did not have sufficiently rigorous processes,” he said.

GCHQ disclosed during earlier hearings that it shared operational intelligence data with industry partners. They are able to access data either on GCHQ’s premises, or remotely from their own premises, or have data transferred to their premises by secure courier.  

One of GCHQs most important partners is the University of Bristol, which runs the Heilbronn Institute for Mathematical Research with GCHQ, providing the intelligence agency with access to academic researchers with expertise mathematics and computational techniques.

Independent oversight

Michael Burton, president of the Investigative Powers Tribunal, told the court that the Intelligence Services Commissioner, Mark Waller, who provided independent oversight over the intelligence agency had been aware of GCHQ’s use of contractors, but appeared not to have been told that GCHQ was sharing data with industry partners.

Eadie told the court that as GCHQ’s data sharing was carried on a small scale, it would be wrong to draw any inference about the adequacy of Waller’s oversight of GCHQ. “The smaller the operation the less pressing it is for the commissioner to move in,” he said.

He agreed however with a member of the IPT panel, Charles Flint QC, that if a small scale data sharing operationgave rise to a new and significant risk, that would be “something the commissioner ought to look at”.

There had only been on example of GCHQ sharing a database containing non-sensitive bulk personal data, which had been accessed by fewer than 20 people since 2010. And there had only been one example of GCHQ sharing a database that might have contained bulk communications data, the government said in written evidence.

Sensitive Relationships Team

Under Section 94 of the Telecommunications Act 1984, the secretary of state has powers to order telecommunications and internet companies to hand over data about their customers to the intelligence services.

The foreign secretary signed off the first Section 94 direction in March 1988, which was implemented by a trigger letter few days later. By October 2016 the agency has issued 13 sets of directions to communications companies.

An analysis of the Section 94 directions, by Privacy International showed that on every occasion until October 2016, the foreign secretary had issued a general direction for disclosure of data.

In reality officials at GCHQ's Sensitive Relationships Team, were responsible for deciding what specific data to request from the communications companies and when to request it - a practice that Privacy International argues amounts to unlawful delegation under the Telecommunications Act 1984 and undermined the secretary of state’s independent oversight of the intelligence agency.

Eadie told the court, that the secretary of state was entitled to set up a system that allowed GCHQ to the ability to decide what data it could demand from telephone and internet companies. “The secretary of state is and remains answerable to Parliament. The secretary of state did and does decide that it is proportional to issue instructions under this set up,” he said.

Unlawful data collection

GHCQ replaced all of its operational section 94 directions in October 2016, after the Investigatory Powers Tribunal ruled that UK intelligence services had been unlawfully collecting bulk communications data for 17 years.

The new directions were intended to give communications companies specific detail about the data GCHQ was seeking, while GCHQ’s submissions to the foreign secretary were also more specific about the data the intelligence agency was asking for, according to evidence from GCHQ’s witness x.  

Eadie told the court that if any of the s.94 directions before October 2016 were found to be unlawful, the changes “put the ship back on an even keel”.

“From this point on the data is specified on the cover,” he said. “There is no question of unlawful delegation of any description. The secretary of state directs, the direction is precisely in line with the data requested. The foreign secretary authorised it to be disclosed immediately. There is no delegation of any substantive decision making.”

Astonishing if true

Speaking on behalf of Privacy International, Ben Jaffey said the government’s claim that GCHQ recognises no difference between contractors and employees “was astonishing if true”.

That view was not shared by the Intelligence Services Commissioner, Mark Waller, or the Investigatory Powers Commissioner, Adrian Fulford, he said.

Waller recognised that employees and contractors were treated differently in a report  in 2016.

“I have recommended that MI5 should make it plain to secondees and contractors that they are subject to MI5 rules of conduct regarding access to data and ensure all people working on MI5 premises know the consequences of misuse. This also applies to the other agencies,” he wrote.

The Investigatory Powers Commissioner’s Office (IPCO) began an investigation into the security arrangements for contractors working in the intelligence services last year.

IPCO told Computer Weekly in February: “We recognise the importance of the need for reviewing the security arrangements for contractors which may have access to sensitive data, particularly given the recent leaks by contractors in other countries. We began work last year, and it’s going to be a focus for our inspection activity in 2018.”

No adequate oversight of GCHQ's use of algorithms and artificial intelligence

Jaffey told the court there had been no adequate oversight by independent commissioners of  GCHQ’s use of algorithms, machine learning and artificial intelligence, to automatically identify which intercepted communications were of intelligence interest.

He urged the IPT to bring in a technical expert in a closed hearing to assess whether GCHQ's use of advanced technology was proportionate in law.

He cited a review of bulk surveillance powers by the then independent reviewer of terrorism legislation, David Anderson, in 2016, which found it was important to ensure that “authorising and oversight bodies have the requisite technical knowledge not just of current  technologies but of present and emerging trends.”

Eadie, representing the government said it was not necessary for the independent commissioners or the tribunal to have access to technical experts to provide effective oversight GCHQ’s use of cutting edge technology. 

“The commissioners have all been sophisticated individuals, well used to querying until they understand a relevant system,” he said. “They are able to ask relevant questions.”

It was not a good answer to suggest that because the new Investigatory Powers Commissioner’s Office, which took over responsibility for overseeing the intelligence services in September 2017, will be employing technical experts, that the previous oversight regime was inadequate, he said.

Secretary of state delegated powers to GCHQ officials

Thomas De La Mare told the court that the question of how far the secretaries of state can transfer their powers to demand data from telecoms and internet companies to GCHQ official had become an important point of principle.

Until 2013 GCHQ had complete discretion to renew Section 94 directions to technology companies. GCHQ’s witness x “had been very clear there was no role of the secretary of state”, De la Mare told the court.

GHCQ's use of Section 94 directions contrasts with lawful directions issued by the secretary of state for MI5 which made it clear to communications companies what data they had to provide on the cover page of the order - rather than leaving the decision up to MI5 officials. 

Even under new directions introduced in 2016, GCHQ still has “very considerable control”, including the ability to request data from communications companies that is similar but quite the same as the data authorised by the home secretary.

He told that court Parliament had taken the trouble to appoint the secretary of state, rather than officials in GCHQ, as a decision maker. “Anything else tends to subvert parliamentary will.”

What GCHQ did

  1. The secretary of state did not consult with relevant people over the terms of the directions. GCHQ’s sensitive relationships team carried out the consultation without reporting back.
  2. GCHQ blurred the distinction between general and specific orders. The secretary of state issued broad orders but GCHQ decided the details itself.
  3. The secretary of state did no address whether the directions were proportionate.  Directions were often sought asking for a broader range of information than GCHQ required.

The court heard that James Eadie had previously argued it was not permissible for the secretary of state to confer powers onto GCHQ official, but had changed his position after GCHQ introduced new evidence in November and December.

“What Eadie did not identify to you was the extent to which his argument had changed. It is not just the facts that have changed, it is his submission on the law and construction on the relevant directions that have changed,” said De La Mare.

It was striking that Eadie had not engaged with the key parts of Section 94 of the Telecommunications Act 1984, which requires the secretary of state to decide what directions, either general or specific, to serve on organisations, to consult with them directly, and to consider whether they are proportional in law, he said.

Eadie accepted that GCHQ had presented the court with inaccurate evidence on several occassions during the course of the hearings which later had to be corrected.

“There has been a failure of the agencies to comply with the tribunal. It is unfortunate that errors have been made, and it is for the tribunal to make a judgement,” he said

The tribunal chairman, Michael Burton, said the IPT would take some time to make a decision.

Report of first day of the hearing: Government ‘unlawfully delegated’ bulk data powers to GCHQ

Read more on IT legislation and regulation

Data Center
Data Management