GCHQ heard you liked spying, so spied on itself spying on you

Privacy violations in spy-on-spy spying just human error, says intelligence commish

Sir Mark Waller, the Intelligence Services Commissioner, has delivered his fourth annual report to the Prime Minister, revealing that GCHQ's internal monitoring system slurped up its own employees' privates to an unauthorised degree.

The 69-page report [PDF] noted that GCHQ reported an error to the commissioner in 2014, "when an internal monitoring system of some staff communications was found to be capturing more information that it was authorised to".

"I followed up on this error during my May inspection," Waller continued. "The team explained that because of a lack of understanding of the system's full capability, more data than had been authorised had been collected. It was clear to me that this was a technical error and not deliberate."

After discovering this error, according to the commissioner, GCHQ "deleted the captured data and reconfigured the system to ensure that it only collected the information that it was authorised to collect."

The commissioner also required the agencies to report to him any errors which might have occurred during a warrant application, authorisation, or when the warrant was put into operation. These errors were classed in three categories:

Number of errors, by agency, reported in 2014

  • Category A: An administrative error such a typo, which may be easily fixed
  • Category B: An inadvertent failure, such as an untimely warrant renewal when such a warrant would have been given
  • Category C: A deliberate decision to act without intention to seek authority

The commissioner revealed 43 errors in 2014, 34 of which were reported by the agencies and nine were discovered during his own inspections. The majority were Category B errors. None were Category C.

Eric King, deputy director at Privacy International (PI), told The Register that "the attention to detail the Commission brought to bear on inaccuracies and errors in the warrants is impressive."

He continued: "I wonder if similar errors would be spotted in other areas of GCHQ's work if the commissioner had a larger staff, including those with significant technical capability, and the resources and remit to dig deep."

King added that "in a recent decision in the IPT [the Investigatory Powers Tribunal], the Tribunal found errors in both the length of retained communications and those who accessed them".

The Intelligence Services Commissioner is responsible for auditing the authorisations required by the intelligence agencies, and the Ministry of Defence, to enable their lawful use of intrusive powers, such as those available under the Regulation of Investigatory Powers Act and the 1994 Intelligence Services Act.

The report concludes that human errors have occurred in the intelligence services "as they will in any large organisation". Alongside some small recommendations, the commissioner's overall conclusion is that:

The agencies and the MoD take compliance extremely seriously and seek to obtain their authorisations on a correct legal basis, establishing necessity to do what they seek to do, and properly considering proportionality and the justification for any intrusion into privacy.

Following the line of Parliament's intelligence committee, which decided that dragnet communications data collection did not constitute mass surveillance, the commissioner wrote: "I am satisfied that the agencies properly consider and keep under review whether it is necessary and proportionate to hold or continue to hold Bulk Personal Data."

A long-awaited – though immediate by Chilcot standards – report by David Anderson QC also supported GCHQ's bulk collection of communications data when it was published earlier this month.

PI's King told us: "It’s clear that a more detailed, more overarching rethink of GCHQs mandate and legal framework was needed than was being provided by existing Commissioners, whose time wouldn’t stretch far enough to complete the usual oversight as well as a 'big picture' review."

He continued: "This is why the ISC, RUSI [the Royal United Services Institute] and David Anderson were all asked to take a step back and make recommendations on the issue as a whole. With that space, the ISC then described our current legal framework as 'unnecessarily complicated' and David Anderson called it 'opaque' and 'undemocratic'." ®

Similar topics

Other stories you might like

  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading
  • Utility biz Delta-Montrose Electric Association loses billing capability and two decades of records after cyber attack

    All together now - R, A, N, S, O...

    A US utility company based in Colorado was hit by a ransomware attack in November that wiped out two decades' worth of records and knocked out billing systems that won't be restored until next week at the earliest.

    The attack was detailed by the Delta-Montrose Electric Association (DMEA) in a post on its website explaining that current customers won't be penalised for being unable to pay their bills because of the incident.

    "We are a victim of a malicious cyber security attack. In the middle of an investigation, that is as far as I’m willing to go," DMEA chief exec Alyssa Clemsen Roberts told a public board meeting, as reported by a local paper.

    Continue reading

Biting the hand that feeds IT © 1998–2021