Tombaky - Fotolia

Clegg unaware of GCHQ monitoring parliamentary emails

Former deputy prime minister tells a public meeting he was unaware parliamentary emails were scanned by system linked to GCHQ

Former deputy prime minister Nick Clegg has admitted he was unaware that GCHQ could scan parliamentary emails for national security or crime-detection purposes while he was in office.

Clegg made the statement at a public meeting in Parliament on Wednesday (15 June 2016), in response to a question by Computer Weekly.

GCHQ, the government’s largest intelligence-gathering agency, has access to the private emails of all MPs, including with their constituents, via a parliamentary spam-filtering service managed by US company MessageLabs – a subsidiary of Symantec – Computer Weekly has revealed.

The panel of speakers included Dominic Grieve QC, the chair of parliament’s Intelligence and Security Committee (ISC); Martha Spurrier, the new director of Liberty; and James Medine, the chair of the US’s Privacy and Civil Liberties Oversight Board.

Clash between privacy and security

The US board was set up in the wake of the 9/11 terrorist strike to find and safeguard a balance between the individual’s right to privacy, and the state’s need to maintain security. There is currently no equivalent body in the UK, and the panel discussion was convened to discuss clashes of interest between individual privacy and state intelligence collection.

Computer Weekly questioned whether the panel was aware that all parliamentary email is scanned by the MessageLabs system, which is connected to GCHQ through a security network called Haruspex. Clegg was asked if he had been aware of the scanning when he was deputy prime minister. He replied: “No.”

The National Security Agency (NSA), which is the US counterpart to GCHQ, also has access to Microsoft datacentres via the Prism programme – including those in Dublin and the Netherlands used to store parliamentary emails. Prism gives the NSA access to more than nine technology companies, including Microsoft, which are required to share users’ data under secret court orders.

Clegg’s convening of the panel follows attempts by the Liberal Democrats to bring in a Digital Bill of Rights to protect the privacy of British citizens while they were in coalition with the Conservative party. The bill would have prohibited the bulk collection of citizens’ data.

The only Lib Dem MP to speak at the time against the ban on bulk collection of data was Martin Horwood, whose former Cheltenham constituency includes GCHQ. Horwood lost his seat at the 2015 election to the Conservative Alex Chalk.

Horwood said he retains his faith in GCHQ’s work to protect MPs, but believes this should not extend to reading the correspondence of MPs. “I'm glad GCHQ do have this technical capability – and the current MPs they help to keep safe every day should be very grateful for it too,” he said. “But that, of course, is very different from reading MPs' emails.”

Horwood told Computer Weekly he was also concerned that the parliamentary email system may be less than fully secure.

“The house authorities do seem to me to have questions to answer, most obviously why they adopted a system that was less secure and more open to surveillance – and in all probability not just by GCHQ and the NSA,” he said.

UK intelligence operates to ‘high ethical standards’

At the Lib Dem-sponsored meeting, ISC chair Grieve said he was struck by the high ethical standards to which the intelligence agencies work.

Horwood shared this view. “I'm sure GCHQ does have very high technical capabilities, but they also operate within one of the strictest legal, supervisory and regulatory regimes for electronic surveillance anywhere in the world,” he said.

Grieve acknowledged that in recent years, as per findings of the Investigatory Powers Tribunal (IPT) – Britain’s most secretive intelligence-focused court – there may have been “errors” made, rather than “some sort of conspiratorial impropriety to violate the privacy of the public”.

The IPT revealed in 2015 that the UK government’s access to and storage of data obtained from the US – via Prism and upstream wire-tapping – would have contravened articles 8 and 10 of the European Convention of Human Rights prior to February 2015.

Article 8 holds that everyone is entitled to respect for the privacy of their home, family and communications. Article 10 is concerned with the rights to freedom of expression and information.

ISC has ‘concerns’ over Investigatory Powers Bill

Grieve made clear that the ISC does have concerns with the Investigatory Powers Bill currently before Parliament and has made recommendations to the government, particularly around privacy.

“We would have preferred to see the privacy issue treated discretely, with any explanation as to when you could depart or the state was entitled to depart from it for the sake of national security,” he said.

The recommendation was not taken up, however. “The government chose not to do that,” added Grieve.

The Investigatory Powers Bill has been written to provide explicit legal authority for existing and planned suspicionless surveillance activity, including by automated hacking attacks, bulk collection from internet backbone and switches and UK internet service providers, as well as issuing secret orders to manufacturers and service suppliers to compromise security without notifying customers.

In previous statements to Computer Weekly, the Cabinet Office and the House of Commons have denied that MPs emails are intercepted.

A Cabinet Office spokesman said: “The suggestion that GCHQ routinely collects and reads the emails of parliamentarians is simply wrong. The Wilson Doctrine, which strictly controls any access to parliamentarians’ communications, applies in full to GCHQ.”

Parliamentary Digital Service director Rob Greig added: “The emails and documents of members and staff of Parliament are private, and all data in transit to the Microsoft datacentres is secured with a very high level of encryption designed to prevent data interception.”

The Investigatory Powers Bill has passed its final reading in the House of Commons and has progressed to the House of Lords.

Read more on Data centre networking