These are our first impressions on reading the Intelligence and Security Committee's key recommendations in its Privacy and Security Report.
The Intelligence and Security Committee (ISC) today released the results of their inquiry into GCHQ's surveillance.
The main recommendation of the report is a new act of Parliament to consolidate the current "complicated" and "piecemeal" legal framework into a single piece of legislation. It is important that the legal framework is clear and comprehensible but it will be more important to constrain the agencies to provide Internet users with greater protection from surveillance.
The report says "the agencies do not seek to circumvent the law" but in leaked documents, the agencies themselves say the UK has a light oversight regime. This suggests that they don't need to circumvent the law because the law is weak.
The report deals with GCHQ's mass surveillance under the term "bulk interception capability". In its assessment, the ISC has tried to minimise the extent and impact of bulk collection. They say that "GCHQ are not reading the emails of everyone in the UK" (our emphasis).
GCHQ analysts may not be physically reading all our emails on their screens but GCHQ is collecting huge amounts of information and getting powerful computers to process and analyse it.
The report perpetuates the problematic approach that our privacy is only intruded when a human looks at the content of our communications. It ignores the invasiveness of profiling using metadata.
The key recommendations focus on communications' content when assessing the impacts of bulk collection on our privacy. The committee only talks of "targeted searches" that GCHQ analysts can do on intercepted communications. But leaked documents from Snowden show that analysts can do very broad searches on metadata such as 'all users of X technology in country Y'.
The ISC says GCHQ only has access to a small fraction of the global Internet infrastructure. They ignore however the fact GCHQ works in close partnership with the NSA and the intelligence agencies of Canada, Australia, New Zealand, Germany, Sweden and many other countries. This gives GCHQ much greater access than the committee has acknowledged.
The current legal framework allows for the bulk collection of communications of anyone in the UK when they communicate with people abroad. The committee tries to re-assure us that the agencies cannot search that pool of data for individuals in the UK without specific Ministerial authorisation for a named target. There are outstanding questions on this area, such as how GCHQ handles metadata from these communications, and to what extent GCHQ computers analyse this data to discover so-called "unknown threats"
We welcome the calls for increased transparency in the legal framework governing surveillance. But GCHQ's “Neither Confirm Nor Deny” policy must be reduced to what is strictly necessary. We also need transparency regarding GCHQ's collaboration with the NSA and other countries' intelligence agencies.
The report makes no recommendations on how GCHQ's data-sharing with NSA and other allies should be properly regulated. They simply propose to introduce a warrant system and processes for exchanging intelligence reports. But this would not cover the broad range of activities uncovered by Snowden.
The committee makes some recommendations to reform intrusion by the agencies but these fall short of properly regulating GCHQ's cyber offensive capabilities and collaboration. There is also very little mention of the implications of data sharing and the integration of GCHQ and the NSA for the UK's foreign policy.
The ISC has produced some interesting detail, with some practical suggestions but the fundamental issues are not addressed. Nor do they explain why they didn't ask these questions and write this report prior to the Snowden leaks.
We will publish a much fuller analysis of the report once we've had time to read and digest it.
You can read ORG's report on GCHQ's activities here.