Felix Pergande - Fotolia

UK first to bring surveillance under rule of law, says former GCHQ director

Former GCHQ head David Omand says the UK will be the first country in Europe to legislate to regulate digital intelligence and put it under judicial supervision with judicial review

The UK will be the first country in Europe to bring secret surveillance activities of the state fully under modern rule of law, says former GCHQ director David Omand.

“There is a phase change going on in the relationship between the secret state – the secret world of intelligence – the British public and parliament,” he told the Wired Security conference in London.

“We will be the first in Europe to do this, and I hope we will not be the last,” said Omand, adding that the change has been coming for 500 years since the first use of secret intelligence in Britain.

Although Omand believes this change is inevitable, he said it has been accelerated by Edward Snowden’s 2013 revelations of mass internet surveillance by the US and its allies.

What followed, he said, were the “years of digital revelation” as the public and most parliamentarians woke up to the private sector monetising data and to the intelligence agencies using digital intelligence.

“Some of what was reported was not quite right, and some of it was misunderstood by the journalists, but it kick-started a new phase in history that will bring all that secret activity under the rule of law,” said Omand.

It also kicked off a “moral panic” across Europe about privacy, he said, and then in 2015 into 2016 people began to realise that this activity had a purpose.

“This was a painful realisation, and some of the countries that had shunned the UK and US and its intelligence-gathering then came running to say ‘we want to do this too, teach us how to do digital intelligence because we have some very serious threat problems in Europe’,” said Omand.

“And the same was true in the cyber world, where the world saw the largest fraud for gain attack, the largest-ever hack and the weaponisation of information, but it is now clear that intelligence is one of the keys to cyber security.”

Global coincidence

In the past 10 years, said Omand, there has been a global coincidence of urgent demands for information about the people who mean us harm with the fact that people are increasingly placing personal information in the digital world.

“What has happened is a dynamic interaction between world intelligence and the digital spaces, where the intelligence officers have said that if that information is being collected by private companies, lawfully we can find ways of accessing that information to make our job easier,” he said.

The intelligence agencies have also been looking at the development of technology and seen the opportunity to develop software that could be implanted in a websites used by paedophiles to find out who is live-streaming child abuse.

“That dynamic interaction has been going on for the past five years and is likely to continue, and the question I am addressing is how much of this are we prepared to allow, how far do we put that under the constraint of the rule of law?” said Omand.

“If 2013 and 2014 were the years of digital revelation and 2015 and 2016 were the years we woke up to the need for intelligence to confront the threats we face, 2017 and the years that follow had better be the years of reconciliation in which we recognise, as a mature democracy, that it is possible to have sufficient security and sufficient respect for privacy, that you don’t have to trade them off, that you can have enough of both, but the key to that is the rule of law.”

In the past, the rule of law was based on statutes but also royal prerogative and often secret directives, he said. “But today we insist on rule of law based on statute law that every citizen can read and find comprehensible so that citizens can understand the way the law affects them and the way in which the authorities are using perfectly lawful powers to obtain the information they need for their investigations.”

Read more about the Investigatory Powers Bill

The Investigatory Powers Bill, which is currently passing through the final parliamentary stages of becoming law, provides for the rule of law, said Omand.

“It provides transparency in an unparalleled debate on the issue, it provides for regulation and warrants, judicial oversight and, crucially, it also embodies at the very beginning of the bill the concept of restraint and privacy rights,” he said.

Omand said that although the bill contains powerful tools for accessing bulk data, interception in bulk, equipment interference and bulk personal datasets, all of those methods used in digital intelligence will now be regulated under law once the bill is passed.

“The UK will be the first country in Europe to actually legislate to regulate that, to put it under judicial supervision, to have judicial review and sign-off on warrants and all the rest of it,” he said.

Inherent contradiction

One important question, said Omand, is whether there is an inherent contradiction between obtaining the intelligence we need to keep ourselves safe and working to secure digital systems.

“The public and business need strong encryption because we are completely dependent for our social and economic future on the integrity of the internet and confidence in the internet, and we all know that strong encryption helps the criminals and the terrorists,” he said.

As an example, he cited a recent incident in which an attacker armed with a knife was in real-time contact via a secure app with his handler in Syria.

Law enforcement is doing its best to target criminals and terrorists, said Omand. “What they need is access to communications data, meta data and internet connection records to establish who is contacting whom,” he added. “This, rather than content, is what is really important.”

Huge difficulties

However, law enforcement is understaffed, underskilled and faced with huge difficulties to tackle the problem, which is why intelligence agencies in the UK try to help, he said.

“But what they need most of all is covert access to bulk data to discover new threats and new malware, which begs the question of how to manage the apparent contradiction,” said Omand. “But the answer is you can’t manage it, you have to satisfy it by balancing security with respect for privacy.

“This is a paradigm shift to a very different world of transparency and judicial oversight from the one we have quite successfully run for the past 10 years and will be a challenge, but I am very confident that my old colleagues in the intelligence community are going to give it their best shot.”

Read more on Privacy and data protection