Safeguards permit GCHQ to share huge databases on public, court hears

Intelligence commissioners did not need technical expertise or support staff to check whether GCHQ and MI5 were lawfully sharing huge databases, court told

The intelligence services have robust safeguards and oversight in place to protect people’s privacy when sharing highly sensitive data on the population with overseas intelligence agencies, industry partners, UK government departments and law enforcement, the UK’s most secret court heard yesterday (18 October 2017).

James Eadie, representing the government and the intelligence services, told the Investigatory Powers Tribunal that European law did not require detailed provisions in statue to permit GCHQ, MI5 and MI6 to share personal data – which can include records of the public’s telephone cals, internet browsing, social media activity, financial transactions, travel history and location.

“It can be softer law,” he said, “based on a range of law and practice.” It is not just about the legal structure, he added. “The tribunal is entitled to have regard whether those safeguards are practically effective.”

Eadie was speaking during the second day of a three-day hearing at Southwark Crown Court into the intelligence agencies’ sharing of huge databases of sensitive personal information on UK citizens with other intelligence agencies in other countries, and UK government bodies, such as the police, and HM Revenue & Customers (HMRC).

Privacy International, which is bringing the legal action, argues that there are inadequate safeguards and controls, and a lack of proper oversight, to protect the privacy of individuals’ data – the vast majority of whom are of no intelligence interest.

The case follows a ruling by the Investigatory Powers Tribunal  last year that UK intelligence agencies had been unlawfully collecting the population’s mobile phone and internet data for 17 years, without adequate safeguards or supervision

The hearing revealed that the commissioners responsible for overseeing the intelligence services, had minimal support staff, lacked technical knowledge of data mining and analytics, and had not been informed that GCHQ shared sensitive bulk databases with industry and law enforcement.

It also emerged that the Interception of Interception of Communications Commissioner’s Office, had carried out the first inspection  of GCHQ’s acquisitioin of sensitive bulk communications data (BCD)  - which began 19 years ago - in April this year.

Ben Jaffey, representing the NGO, told the hearing at Southwark Crown Court that the quality of supervision by the commissioners was deficient, the regime was non-compliant, and the current commissioner did not feel he had technical understanding. “The regime is ineffective,” he said.

The government has refused to confirm or deny whether MI5, MI6 or GCHQ share databases, known as bulk communications data (BCD) and bulk personal data (BPN), with the law enforcement of overseas intelligence agencies.

It presented the court with a 38-page document outlining the statutory safeguards and guidelines for sharing bulk data. They included details of bulk personal data and bulk communications handling arrangements published in November 2015.

Publicly disclosed safeguards

Claims by Privacy International that there are no publicly disclosed safeguards to ensure that data sharing, should it occur, is conducted lawfully were wrong, Eadie told the court. “There are extensive published and written safeguards,” he said.

He rejected arguments by the NGO that the commissioners responsible for overseeing the work of the intelligence agencies lacked the staff, resources and technical expertise to conduct effective oversight.

The court was show transcripts of evidence given by Sir Mark Waller, then the Intelligence Services Commissioner, to parliamentary committee meetings, in which he said he felt oversight was more effective with just one person, without support staff. “He says, actually I think it’s better, more efficient and more effective if it’s me,” said Eadie.

GCHQ knew that rather than have a junior legal representative, a very senior retired judge had the right to inspect any warrant he wanted, he said. “They know they are going to have to justify it.”

It was not necessary, he said, for the commissioners responsible for oversight to have a technical understanding of the way intelligence agencies collect and process data.

“All the holders of this office have been experienced judges, who are well used to probing matters in some depth,” he said. “They have got themselves into a position where they understand any technical issues that arise.”

IPT member Susan O’Brien questioned whether a former judge could be expected to understand data analytics and complex algorithms. “BCD [bulk communications data] involves highly technical issues,” she said. “It really is stretching the point that a high court judge can understand that."

“The judge who walks into GCHQ won’t have the technical knowledge to ask the right questions,” she said.

But Eadie said high court judges frequently have difficult cases to deal with and were capable of understanding the technical issues.

“The judge is quite capable of saying ‘I am interested in the subject of data mining, and I want to see how that occurs’”.

It was up to the commissioners to decide what resources needed, and there was no need for the tribunal to “second-guess” their decisions, he said.

Sharing bulk data

A letter from Graham Webber, interim chief executive of the Investigatory Powers Commissioner’s Office, disclosed in the tribunal suggested that the commissioners responsible for overseeing the intelligence agencies’ had been kept in the dark about the data sharing between the intelligence agencies and other organisations.

It confirmed that there was no corporate record that either the Intelligence Service’s Commissioners Office [ISCom] nor the Interception of Communications Commissioner’s Office [Iocco] had carried out any reviews of bulk data sharing between the intelligence agencies, and industry partners or law enforcement.

"Neither ISCom nor Iocco were previously informed by GCHQ that the sharing of BPD/BCD data sets with industry partners...had occurred," it said.

Eadie told the court that the fact that there was no information on the corporate record did not indicate that oversight was ineffective. “It is part of the regulatory process [for commissioners] to decide what to focus on,” he said.

The IPT president, Michael Burton, raised the prospect that in future, the Investigatory Powers Tribunal could provide additional oversight into data sharing with industry, to aid the commissioner.

GCHQ only shares data with industry partners to a minimal extent for systems development, said Eadie. "It is perhaps rather unsurprising that the commissioner is less focused on it than might be the position."

Failed database searches

The court heard that intelligence analysts are able to carry out searches across multiple databases simultaneously, allowing them to interrogate a “huge dataset”.

Eadie said, however, that the large number of null results obtained by intelligence analysts did not show that the intelligence services’ collection of data was disproportionate. “The argument is based on utter nonsense,” he said. “A search properly made has to be judged with the nature of the search…a null return is not valueless in security terms.”

The question is whether the use of these databases is proportional, but national security is at the heart of the question. "We respectfully submit that it is not an equal balance,” said Eadie.

The commissioners

The Investigatory Powers Act 2016 led to the creation of the Investigatory Powers Commissioner, to oversee the use of investigatory powers by the intelligence agencies, police forces, HMRC, local authorities and other government departments.

The Investigatory Powers Commissioner’s Office, headed by Lord Justice Adrian Fulford, replaced earlier regulators from 1 September 2017. It will be backed by a staff of 70 people, including 15 current and retired senior judges, known as judicial commissioners, 50 inspectors, technical and legal advisers, and a technology advisory panel of technical experts.

The new body replaces the Interception of Communications Commissioner’s Office, headed by Sir Stanley Burnton, who was responsible, among other areas, for overseeing the proper bulk communications data, and the Intelligence Services Commissioner’s Office, headed by Sir Mark Waller, who had responsibility for oversight of bulk personal datasets.

The court heard that intelligence agencies would only share data with overseas organisations -  without admitting that any sharing occured -  if there was an equivalence in the way they safeguard data.

IPT president Michael Burton raised the prospect that once sensitive data had passed to another country, the UK may not have control over how it is used. “You can give it to a country, and they can do something that you view as unlawful. We have that with immigration and asylum seekers.”

In practice, said Eadie, the intelligence agencies would want an undertaking that data was not passed to a rogue state. There are provisions in place to stop sharing data with countries that do not comply, he said.

Burton questioned why GCHQ requires overseas organisations to have equivalent safeguards and protection, but MI5 and MI6 only require equivalent safeguards “in appropriate circumstances”.

“The differences are more theoretical than real,” said Eadie. An overseas partner could not be expected to have identical safeguards in place, he said. “Some flexibility would obviously be necessary and appropriate.”

“You need to be very careful before elevating a set of principles to a set of standards [otherwise] you have an irreducible minimum [standard] being created.”

GCHQ sets off amber alert

Iocco carried out the first inspection by the regulator of GCHQ’s acquistion of  Bulk Communictions Data (BCD) in April this year - nearly two decades after collection began -  it emerged during the tribunal.

The draft report  - which rates compliance according to a system of “traffic light colours” - found that GCHQ had “emerged very well” from the inspection, but gave it two amber lights for non-compliance.

Iocco recommended that it works with GCHQ to modify the signals intelligence agencies’ audit systems to allow the regulator to make more thorough inspections in future. “In particular to assess what BCD was accessed and the justification as to why it was necessary and proportionate,” it said.

Eadie told the court that the amber rating did not mean Iocca was dealing with a “systemic failure”.

“There is a contrast between red – which indicates non-compliance – and amber, which means remedial action should be taken as it could lead to a breach, if unaddressed,” he said.

National Security data repurposed for other uses

The government defended GCHQ’s use of Section 94 of the Telecommunications Act to obtain telephone and internet data, which allows it, in effect, to circumvent the safeguards in the Regulation of Investigatory Powers Act 2000 (RIPA).

The practice remained secret until November 2015, when the government “avowed” its existence with the introduction of the Investigatory Powers Bill.

The Counter Terrorism Act 2008 made it possible for GCHQ to repurpose information gathered for national security reasons, for “the prevention and detection of crime”, the court heard.

“That undermines any suggestion that the natural and proper inference from the existence of RIPA [Regulation of Investigatory Powers Act] is that Parliament was designing RIPA as an exclusive regime that would preclude any sharing by the agencies,” said Eadie.

Thomas De La Mare, representing Privacy International, said that if this was true, it followed that a body that is not entitled to obtain communications data under RIPA can still be provided with the data by the intelligence agencies.

Although there were limited cases where it would be lawful to disclose communications data to third parties, the safeguards in the handling guidelines were inadequate, he said. “What Mr Eadie asks for is a complete unvarnished circumvention of the RIPA safeguards.”

The Court of Justice of the European Union ruled in December 2016,  in a case brought by MP Tom Watson that European law did not allow the prescribed general and indiscriminate retention of the public’s email, phone and browsing data.

If you were to pose the question to the CJEU "can you avoid Watson safeguards being applied to organisations that are not law enforcement by gathering information for national security and repurposing it for serious crime", you are going to get a pithy answer: ‘no you cannot’, De La Mare told the court.

Questions over warrants

GCHQ has powers to order mobile phone companies and internet service providers to disclose vast swathes of communications data under a warrant signed by the secretary of state under Section 94 of the Telecommunications Act 1984.

Evidence disclosed in earlier hearings showed GCHQ’s “Section 94 directions” requiring internet and phone companies to hand over their data are worded in such a way that they allow the secretary of state to delegate the power to request communications data to the director of GCHQ, or any person authorised by him.

Eadie argued that the wording of the directions reflected “mechanics of compliance” used by GCHQ, and did not imply that GCHQ had the ability to act on its own discretion without approval from the secretary of state. It was not relevant, he said, that the directions might give the impression to a communications service provider ordered to disclose its customers’ data that the order came from GCHQ rather than the secretary of state.

Read more on PI’s legal challenge

  • A secret court will decide whether intelligence agencies are “unlawfully” sharing huge datasets containing sensitive information about the population with industry, government.
  • Mass collection of data on population “illegal”, UK court told.
  • New privacy concerns raised after intelligence watchdog confirms it has never audited or inspected the way intelligence services share sensitive surveillance databases with industry partners.
  • UK intelligence agencies have been collecting communications data on the population without adequate oversight for over a decade, according to the Investigatory Powers Tribunal.
  • Judges at the UK’s most secret court were persuaded not to disclose the existence of secret intrusive data on the population after briefings and lunch with MI5’s deputy director general.

Drawing an analogy,  he said: “There is nothing inherently wrong if the secretary of state says ‘I order your house to be pulled down, and that will happen when the foreman arrives with the bulldozers’".

Burton said a more worrying point was that GCHQ could ring up a communications company and ask it to disclose a lesser amount of data than the secretary of state had authorised. This would imply that GCHQ, rather than a government minister, had discretion over the matter.

Eadie said, that in practice, this did not matter. “You are then in the position of the secretary of state authorising a lot of major things, which includes a lesser number of things [within it].’”If the matter was referred to Europe, Eadie argued, the courts would not have an issue with this approach.

He claimed  Privacy International’s legal team’s tactic was to fire arrows at the intelligence services, and if the arrows missed, to fire at the people responsible for overseeing them.

“You see the forensic technique, which is too seek to identify the targets, and if you can’t do that, to shoot the commissioner,” he said.

Ben Jaffey said that  Eadie had introduced new legal arguments and evidence into the case at the last minute (on the second day of the three day trial), despite having months to prepare. “It is not acceptable,” he said.

“I don’t know why Mr Eadie could not have spelled out his case in the skeleton argument as this court directly asked”.

The Investigatory Powers Commissioners Office, which took over from the Interception of Communications Commissioner’s Office and the Intelligence Services Commissioner’s Office on the 1st of September 2017, distanced itself from the allegations against the previous intelligence oversight regimes, in a post on Twitter.

"The accusations around awareness of sharing have been made against the previous oversight regime. But we are bigger and with more powers," it wrote on 18th October.

Eadie told the court that a failure in one part of the intelligence oversight did not mean the whole system was at fault. “Any system is capable of generating a case of failure, but that is not enough to strike down the whole system”.

The case continues

Read more on Privacy and data protection