Where is the law?
There are legal limits, too. GCHQ is only allowed to use the technique to read “external” communications, meaning either the sender, the recipient or both have to be outside the UK, the Channel Islands and the Isle of Man (the British Islands, in legalese). Anderson quotes the May 2014 witness statement of Charles Farr, director general of the Office for Security and Counter Terrorism, to the Investigatory Powers Tribunal, which states that an email sent from London to Birmingham is “internal” even if it travels via overseas servers. However, a Briton communicating with an overseas data centre, such as a Google search or a Twitter tweet, is seen as carrying out an external communication as the ‘recipient’ is the overseas server.
Bulk interception of internet traffic flowing through an undersea cable will therefore gather internal and external communications of a nation's populace. GCHQ uses computer-based selection, such as searches on email addresses, to sort the internal from the external, and there are some automated blocks in place stopping analysts from reading material on people known to be in the British Islands.
This doesn’t mean GCHQ won’t read your UK to UK emails – but it has use to another type of more targeted permission to do so. What analysts look at is recorded permanently for auditing, and Anderson quotes the Intelligence and Security Committee Privacy and Security Report, which states: “GCHQ are not reading the emails of everyone in the UK.”
Charles Farr – a career SIS ("MI6") spy seeking to defend counter-terrorism work, not by any means a normal civil servant - in a witness statement he signed as truthful, provides further reassurances.
“Any form of massive unwarranted intercept intrusion would as a minimum require a significant internal conspiracy which would never go undetected, let alone be concealed from external observation or inspection,” he wrote.
"No one sits in front of a computer screen aimlessly trawling through unselected intercepted material. All searches are for a specific authorised purpose.”
Farr did concede that small-scale unauthorised intrusion by an individual or small group is “conceivable, but highly improbable”.
Anderson says that those within the secret agencies show “a growing realisation” that they can’t assume the public will trust them because proxies such as he say so, and that “institutional safeguards and direct public engagement” are needed. GCHQ told him it intends to be “more transparent, wherever possible, about its capabilities and operations”. He points to its description of how it might work to identify someone planning to attack a UK target, which sounds like it relies partly on bulk interception.
This government wants to strengthen GCHQ’s surveillance abilities – although with a tiny majority in the Commons and none in the liberty-minded Lords, it may have to make some compromises. Regardless of the outcome, as part of the process we are getting a better idea of how this surveillance works. ®