A parliamentary committee in the United Kingdom dropped a bombshell of a report about the country’s intelligence agencies on Thursday, publicly acknowledging for the first time that the spies maintain huge databases about “large numbers of people” – with no explicit legislative backing for doing so.

The report by Parliament’s Intelligence and Security Committee (ISC) noted that some intelligence analysts have been disciplined or even dismissed for abusing these “bulk personal datasets”. It called for new legislation to consolidate the smorgasbord of laws that currently govern the agencies, to make it clearer to people what the spies actually do.

It also highlighted multiple holes in the oversight of the agencies’ activities and noted that current legislation leaves those in some professions, such as journalists and lawyers, without clear protections against surveillance. The committee also called for more fine-grained classifications of communications metadata, in order to improve safeguards for certain types of information such as the websites people are visiting.

New law, please

The ISC, which was led by Sir Malcolm Rifkind until his recent cash-for-influence scandal, is a cross-party committee that is supposed to keep an eye on the UK’s intelligence and security apparatus.

The report marks the end of an evidence-gathering exercise that began in July 2013, after Edward Snowden’s leaks about the activities of the NSA and GCHQ started coming out. Parts of the report were redacted because they included sensitive spy information and were only intended for the eyes of the prime minister.

The committee’s headline recommendation was that there should be a new act of Parliament to simplify the legislation that currently gives powers to and sets limits on what the spy agencies can do. The big ones there are the Security Service Act 1989 (governing MI5) and Intelligence Services Act 1994 (governing MI6 and GCHQ), but there’s also the Regulation of Investigatory Powers Act 2000, the Telecommunications Act 1984, the Terrorism Act 2000, the Data Retention and Investigatory Powers Act 2014, the Counter-Terrorism Act 2008 and thhe Wireless Telegraphy Act 2006.

The interplay between these laws is “absurdly complicated and… not easy for the public to understand”, the committee said, adding that while the Human Rights Act covered everything the spies do, it’s not clear to the public how this applies because people don’t have a clear understanding of what it is the spies do. The new legislation “must clearly set out the intrusive powers available to the agencies, the purposes for which they may use them, and the authorisation required before they may do so”, the committee wrote.

It’s obviously quite important that members of the public should be able to foresee when their communications are up for interception – though the ISC stressed that theirs was a “political view”, and it was really up to the European Court of Human Rights and the UK’s Investigatory Powers Tribunal (a mostly-secret spy court) to decide whether activities and laws passed the foreseeability test.

Bulk personal datasets

The report’s big surprise, though, was the first official disclosure of the existence of the agencies’ bulk personal datasets, described by the committee as “large databases containing personal information about a wide range of people”, and used to identify people, establish links, and analyse behaviour and connections. The more sensitive information in these datasets covers things like racial or ethnic origin, religion, political views, medical conditions, sexual orientation and so on.

There are no legislative controls on the use of these datasets, which isn’t terribly surprising as they’ve never been debated in Parliament. The agencies are instead backing up their use by pointing to the general powers given to them in the Intelligence Services Act 1994 and the Security Service Act 1989.

The agencies told the committee that they had strong internal controls for the use of the sensitive stuff, but there are no legal penalties for misuse and no ministerial authorisation required for data acquisition or use. What’s more, when the datasets are shared with overseas intelligence partners, there’s no control on their use at all.

Here’s the kicker: “Each Agency reported that they had disciplined – or in some cases dismissed – staff for inappropriately accessing personal information held in these datasets in recent years”. Being dismissed and being sent to jail (an option for the misuse of other intelligence community systems by agency employees) are two different things.

The committee recommended that “In the interests of transparency… this capability should be clearly acknowledged and put on a specific statutory footing… Given that this capability may be highly intrusive and impacts upon large numbers of people, it is essential that it is tightly regulated.” (At the moment, the Intelligence Services Commissioner supposedly keeps an eye on the datasets’ use, but only on a non-statutory basis.)

Bulk interception and metadata

When it comes to the bulk interception of communications running over the internet, the report shows a strong difference of opinion between the committee and the human rights groups that testified before it.

The pro-privacy groups said it wasn’t acceptable at all for the agencies to collect communications in bulk, much as United Nations experts have suggested. However, citing secret case studies shown to the committee by the spies, the ISC said that that “GCHQ’s bulk interception is a valuable capability that should remain available to them” because it allows them to look for patterns and find people to target. “Without some form of bulk collection the Agencies would not be able to discover threats,” begging the question of what on earth happened to good old-fashioned human intelligence.

It said that the spies’ filtering techniques meant only a certain amount of communications are collected, a smaller amount is stored, and “only a tiny fraction of those collected are ever seen by human eyes”. The exact proportions were redacted in the report. The ISC also said that analysts couldn’t go on fishing expeditions due to controls and auditing mechanisms in the bulk intercept systems.

“While we recognise privacy concerns about bulk interception, we do not subscribe to the point of view that it is acceptable to let some terrorist attacks happen in order to uphold the individual right to privacy – nor do we believe that the vast majority of the British public would,” the report added.

Unsurprisingly, the Open Rights Group hit back on this one, saying in a statement: “The committee only talks of ‘targeted searches’ that GCHQ analysts can do on intercepted communications. But leaked documents from Snowden show that analysts can do very broad searches on metadata such as ‘all users of X technology in country Y’.”

Interestingly, the ISC said it had been surprised to learn that “the primary value to GCHQ of bulk interception was not in reading the actual content of communications, but in the information associated with those communications.” This refers to “communications data” – metadata about who called whom and when – as well as the “characteristics of communication”.

The report spent a fair amount of time on the metadata issue, noting that it makes it “possible to build a richer picture of an individual [but] remains considerably less intrusive than content… it does not therefore require the same safeguards as content does.” The ISC said, however, that some forms of communications data, for example around who a person was calling or which sites they were visiting, fell into a “grey area” that demanded a new classification called “Communications Data Plus”, with greater safeguards than those given to the phone-numbers-and-timestamp kind of communications data.

Holes

The committee identified several areas where there are insufficient controls on what the spies get up to. They complained that there was no legislation demanding an interception warrant for the receipt of information from foreign agencies, and not enough to explicitly control spying on British citizens who are overseas.

The report noted that there was a lot of confusion over what qualifies as internal (within the UK) and external communications – a serious difference, as it dictates what the spies can and cannot do, what authorisation they must seek, and so on. It cited the foreign secretary, Philip Hammond, as admitting that almost everything online qualifies as external communications because it runs through foreign servers.

“In respect of internet communications, the current system of ‘internal’ and ‘external’ communications is confusing and lacks transparency,” the report stated. “The Government must publish an explanation of which internet communications fall under which category, and ensure that this includes a clear and comprehensive list of communications.”

The encryption issue also came up – one of the key themes of the Snowden revelations was that GCHQ and the NSA work to undermine encryption standards and technologies so they can read the communications they want to read. The obvious problem with these activities is that they endanger the public, as a flaw in encryption can be exploited by anyone.

When the ISC asked GCHQ whether these efforts caused risk to the public, GCHQ replied that “… we have increasingly taken into account the interests of members of the public who will use relevant products”. The agency’s assurances were largely redacted in the report, and the committee concluded that “we are concerned that such decisions are only taken internally: Ministers must be kept fully informed of all such work and specifically consulted where it involves potential political and economic risks.”

The committee said there should be a “clear line of separation” within agencies between those asking for interception authorisation and those giving it. It also recommended that there should be a domestic right of appeal against Investigatory Powers Tribunal decisions.

As for keeping the privileged communications of lawyers, doctors and (maybe) journalists safe, the committee said there shouldn’t be blanket protections for such people – terrorists might use such exemptions as loopholes – but there should perhaps be statutory protection rather than just internal “safeguards”, as is now the case.

The response to all this from the Open Rights Group was fairly dismissive: “The ISC should have apologised to the nation for their failure to inform Parliament about how far GCHQ’s powers have grown. This report fails to address any of the key questions apart from the need to reform our out-of-date surveillance laws. This just confirms that the ISC lacks the sufficient independence and expertise to hold the agencies to account.”

Featured image credit: Jeremy Reddington / Shutterstock