Collect it all: GCHQ and mass surveillance

Revised version of our March report into GCHQ's activities and the problems it creates.


We have revised and republished our report to take account of information from the ISC, Anderson and RUSI review. The report is in two sections; a technical review of the evidence (part one) and an analysis of the policy and legal considerations (part two). because of its length we have published the report as an ebook.

Download the report as .epub

Our recommendations from the report

Bulk collection

The bulk collection of communications data without targeted suspicion is mass surveillance. The bulk collection of global communications data should end. Surveillance should be targeted, necessary and proportionate. 

Regulation of GCHQ’s activities

CESG is the UK’s National Technical Authority for Information Assurance (IA), which is responsible for ensuring that information systems used in the public sector are properly secured. This is inconsistent with GCHQ’s activities that exploit Internet vulnerabilities. The responsibility for the CESG should be removed from GCHQ and held by an independent organisation.

Each stage of surveillance  – access, collection, technical processing, analysis and invasive activities – should be properly regulated.  Access to core communications infrastructure – cables, satellites, internet exchanges – should be subjected to more transparency and oversight separately from specific data collection activities.

A completely new system for authorising invasive activities – with much greater levels of transparency and oversight – is required as part of an overhaul of the regulation of technical processes within surveillance.

There should be clear regulations to protect civilians and businesses from the risks posed by GCHQ’s offensive activities.

The vast amounts of information collected, the increasing use of automated systems create risks around the ability of government to control the outputs of intelligence. We need greater assurances that controls on dissemination work today with the myriad security agencies sharing data as part of the global US-led coalition. After all Snowden himself was able to access highly sensitive materials.

Legal reform

RIPA and DRIPA must be repealed and replaced by new comprehensive surveillance legislation that complies with human rights law.

This legislation should:

  • Give communications data the same protection as the content of communications;
  • Ensure data retention by communications service providers is  targeted and specific;
  • Close down loopholes, such as the inadequate criteria used to define ‘internal’ and ‘external’ communications;
  • End ad-hoc warrants that allow collection of Bulk Personal Datasets. These should be brought into a single simplified regime of much narrower authorisations with clear expiry dates;
  • Review the distinction between foreign and domestic communications. The UK must respect the human rights of non-British citizens.

The use of publicly available data should be more tightly regulated. Intelligence agencies can paint an intimate picture of our lives simply from our public online activities without any targeting. Researchers have confirmed that simply clicking endorsements in social media reveals likely political opinions, sexual preferences, lifestyle preferences, social circles, personal habits and patterns of behaviour. Many of these attributes are considered sensitive data that can lead to discrimination under UK data protection law and must be treated with special caution.

The personal information of persons in British soil processed by the NSA needs stronger protections. There is no formal legal basis for these data sharing operations, and any safeguards are based on secret agreements among agencies that do not provide sufficient guarantees around this human rights intrusion. Conversely, the use of US data, including PRISM, needs formal protections. Right now GCHQ voluntarily applies the same safeguards as for intercepted materials, but this does not provide the legal certainty required to be compatible with human rights laws.

Judicial authorisation of warrants

All surveillance decisions (including the interception of communications, access to communications data and receipt of intelligence from foreign agencies) must be subject to prior judicial authorisation and ongoing judicial control, instead of authorisation by Government Ministers. This authorisation should be by serving judges.

Oversight 

The offices of the Intelligence Services Commissioner and the Interception of Communications Commissioner should be reformed so that they are truly independent, reporting to Parliament not the Executive. They need adequate resources to scrutinise more warrants, carry out searching investigations and publish key statistics. They should remain focused on oversight and not authorisations, which should fall on the judiciary broadly.

The ISC must be fully reformed. The committee should be answerable directly to Parliament rather than to the prime minister and take its own decisions on reporting and publication. The committee must be appropriately funded and staffed with independent experts able to undertake detailed forensic investigations, and an independent secretariat, including independent legal and technical advisors. The committee should have strengthened legal powers to compel the production of information and the attendance of witnesses. The chair of the committee should be a member of the largest opposition party and the Commons members of the committee should be elected.

The Investigatory Powers Tribunal should adopt a more fair and open procedure. This should include: 

  • public hearings, unless the government demonstrates that secrecy is required in the particular case; 
  • the disclosure of evidence and publication of judgments and reasons published, unless the government demonstrates that secrecy is necessary; 
  • the appointment of a special advocate if a closed hearing is required; and the ability to appeal decisions.

Parliament must ask what exact mechanisms are available for the overseeing of access to data by US security services in the many available channels. For example, security sources have stated that when UK systems identify sensitive data of interest for further investigation, this is noted and passed on to the intercept commissioner. Parliament must ensure that this is also the case with US operatives.

Transparency

There needs to be greater transparency about how the agencies operate, including:

  • agreements between communications companies and the government that allow the tapping of fibre-optic cables to collect data;
  • the computer processing of bulk collected data;
  • how foreign security services access UK citizens’ data;
  • the cyber warfare capabilities of GCHQ and the basic rules of engagement for cyber operations.

Internet security

The Government should cease breaking encryption standards and undermining internet security. Such activity should be explicitly prohibited by legislation.