Revised version of our March report into GCHQ's activities and the problems it creates.
We have revised and republished our report to take account of information from the ISC, Anderson and RUSI review. The report is in two sections; a technical review of the evidence (part one) and an analysis of the policy and legal considerations (part two). because of its length we have published the report as an ebook.
Our recommendations from the report
The bulk collection of communications data without targeted suspicion is mass surveillance. The bulk collection of global communications data should end. Surveillance should be targeted, necessary and proportionate.
Regulation of GCHQ’s activities
CESG is the UK’s National Technical Authority for Information Assurance (IA), which is responsible for ensuring that information systems used in the public sector are properly secured. This is inconsistent with GCHQ’s activities that exploit Internet vulnerabilities. The responsibility for the CESG should be removed from GCHQ and held by an independent organisation.
Each stage of surveillance – access, collection, technical processing, analysis and invasive activities – should be properly regulated. Access to core communications infrastructure – cables, satellites, internet exchanges – should be subjected to more transparency and oversight separately from specific data collection activities.
A completely new system for authorising invasive activities – with much greater levels of transparency and oversight – is required as part of an overhaul of the regulation of technical processes within surveillance.
There should be clear regulations to protect civilians and businesses from the risks posed by GCHQ’s offensive activities.
The vast amounts of information collected, the increasing use of automated systems create risks around the ability of government to control the outputs of intelligence. We need greater assurances that controls on dissemination work today with the myriad security agencies sharing data as part of the global US-led coalition. After all Snowden himself was able to access highly sensitive materials.
RIPA and DRIPA must be repealed and replaced by new comprehensive surveillance legislation that complies with human rights law.
This legislation should:
The use of publicly available data should be more tightly regulated. Intelligence agencies can paint an intimate picture of our lives simply from our public online activities without any targeting. Researchers have confirmed that simply clicking endorsements in social media reveals likely political opinions, sexual preferences, lifestyle preferences, social circles, personal habits and patterns of behaviour. Many of these attributes are considered sensitive data that can lead to discrimination under UK data protection law and must be treated with special caution.
The personal information of persons in British soil processed by the NSA needs stronger protections. There is no formal legal basis for these data sharing operations, and any safeguards are based on secret agreements among agencies that do not provide sufficient guarantees around this human rights intrusion. Conversely, the use of US data, including PRISM, needs formal protections. Right now GCHQ voluntarily applies the same safeguards as for intercepted materials, but this does not provide the legal certainty required to be compatible with human rights laws.
Judicial authorisation of warrants
All surveillance decisions (including the interception of communications, access to communications data and receipt of intelligence from foreign agencies) must be subject to prior judicial authorisation and ongoing judicial control, instead of authorisation by Government Ministers. This authorisation should be by serving judges.
The offices of the Intelligence Services Commissioner and the Interception of Communications Commissioner should be reformed so that they are truly independent, reporting to Parliament not the Executive. They need adequate resources to scrutinise more warrants, carry out searching investigations and publish key statistics. They should remain focused on oversight and not authorisations, which should fall on the judiciary broadly.
The ISC must be fully reformed. The committee should be answerable directly to Parliament rather than to the prime minister and take its own decisions on reporting and publication. The committee must be appropriately funded and staffed with independent experts able to undertake detailed forensic investigations, and an independent secretariat, including independent legal and technical advisors. The committee should have strengthened legal powers to compel the production of information and the attendance of witnesses. The chair of the committee should be a member of the largest opposition party and the Commons members of the committee should be elected.
The Investigatory Powers Tribunal should adopt a more fair and open procedure. This should include:
Parliament must ask what exact mechanisms are available for the overseeing of access to data by US security services in the many available channels. For example, security sources have stated that when UK systems identify sensitive data of interest for further investigation, this is noted and passed on to the intercept commissioner. Parliament must ensure that this is also the case with US operatives.
There needs to be greater transparency about how the agencies operate, including:
The Government should cease breaking encryption standards and undermining internet security. Such activity should be explicitly prohibited by legislation.