Intelligence Committee marks Gov's Snoopers' Charter: See me after class

Needs more clarity, Theresa, but otherwise a very good effort

The Intelligence and Security Committee of Parliament has warned the Government that it needs to make "substantive amendments" to its draft Investigatory Powers Bill, before proceeding to outline changes which don't appear to be very "substantive" at all.

The committee said the new draft provides insufficient safeguards and limits on the intelligence agencies' ability to monitor British citizens.

“Taken as a whole, the draft Bill fails to deliver the clarity that is so badly needed in this area,” said the committee's chairman, Dominic Grieve QC MP, in a statement accompanying the 18-page report (PDF).

The ISC's report – essentially a diligence exercise in legislative drafting – criticised the bill's weak and inconsistent privacy protections; its over-broad and unclear provisions regarding bulk interception and hacking; and the “inconsistent and confusing” approach to the examination of Communications Data.

These were described as “substantive issues of principle” by the report, which also suggested a number of specific amendments on “more detailed matters”. Its strong language, however, was largely targeted at the bill's sloppy and rushed construction, and its redundant warrant processes, rather than the powers contained therein.

The committee stated that: “We consider these changes necessary if the Government is to bring forward legislation which provides the security and intelligence Agencies with the investigatory powers they require, while protecting our privacy through robust safeguards and controls.”

The report is the second of four Parliamentary inquiries into the draft legislation to be published. It follows the Science and Technology Committee's inquiry, which reported that the financial burden companies faced in complying with the bill were so high it would be necessary for taxpayers to foot their costs.

Privacy protections

Given the background to the draft Bill and the public concern over the allegations made by Edward Snowden in 2013, it is surprising that the protection of people’s privacy – which is enshrined in other legislation – does not feature more prominently.

The draft legislation lacks “an overarching statement at [its] forefront”, according to the ISC, and as such privacy protections have been specified separately in each instance of an investigatory power. This “results in a lack of clarity which undermines the important of the safeguards associated with these powers.”

Additionally, the protections afforded to sensitive professions – such as lawyers, doctors, politicians, and journalists – were also criticised as inconsistent. The report noted: “Clause 61 sets out that a Judicial Commissioner must approve an authorisation to obtain Communications Data for the purpose of identifying a source of journalistic information. However, this clause does not apply to the Agencies.”

Although the Wilson Doctrine – an informal promise that the Prime Minister would not spy on other Members of Parliament – had been declared to have no legal effect last year, the bill attempted to institute some protections for MPs for the purposes of protecting Parliament's sovereignty over the agencies. These protections were also inconsistent, according to the Parliamentary committee.

A further example is the protection afforded to a “member of a relevant legislature”: whilst the Secretary of State is required to consult the Prime Minister before issuing a Targeted Interception, Targeted Examination or Targeted Equipment Interference warrant where the communications are sent by, or intended for, a person who is a “member of a relevant legislature”, similar protections are not provided for in relation to Bulk Personal Dataset or Bulk Acquisition warrants.

Bulk Powers: Hacking

The ISC recognised the necessity of the Agencies' hacking capabilities (formally known as Equipment Interference or EI) but stated it was concerned that there are several different forms of hacking which do not fall under the draft Bill: “These IT operations will continue to sit under the broad authorisations provided to the Agencies under the Intelligence Services Act 1994.”

The committee had previously criticised the Intelligence Services Act 1994 in its report of last March, titled “Privacy and Security: A modern and transparent legal framework” (PDF), when it stated it had “serious concerns about the adequacy of the current legislative framework governing and constraining the Agencies’ activities.”

It also declared it was concerned about the use of equipment interference powers “where the primary purpose is not to obtain information”, and noted that the spooks had failed to provide it “with sufficiently compelling evidence as to why the Agencies require Bulk Equipment Interference warrants, given how broadly Targeted Equipment Interference warrants can be drawn.”

14. As set out above, the draft Bill provides for Targeted and Bulk EI warrants. However, despite the name, a Targeted EI warrant is not limited to an individual piece of equipment, but can relate to all equipment where there is a common link between multiple people, locations or organisations. In evidence, the Director of GCHQ suggested that, hypothetically, a Targeted EI warrant could cover a target as broad as an entire hostile foreign intelligence service. It is therefore unclear what a ‘Bulk’ EI warrant is intended to cover, and how it differs from a ‘Targeted’ EI warrant – a concern recognised by the Director of GCHQ who noted that “the dividing line between a large-scale targeted EI and bulk is not an exact one”.

As such, the committee recommended that “Bulk Equipment Interference warrants are removed from the new legislation” – though only because the other warrants do the job just as well.

Bulk Powers: Snooping

The ISC defined Bulk Personal Datasets (BPDs) as “large databases containing personal information about a wise range of people”, though a memo regarding the Government's line on the word database seems to have reached the committee, as the report replaced it with the tautological dataset.

The committee found the “acquisition, retention and examination of any Bulk Personal Dataset is sufficiently intrusive that it should require a specific warrant. We therefore recommend that Class Bulk Personal Dataset warrants are removed from the new legislation.”

In circumstances where BPDs are obtained “opportunistically” the committee noted that “the draft Bill does not impose any time limit by which [a] warrant application must be made. In theory, therefore, an Agency could hold a BPD without authorisation indefinitely.”

The Committee recommended that “a time limit of one month is introduced for the Agencies to hold a UK-sourced Bulk Personal Dataset without a warrant temporarily whilst a specific warrant application is made and determined.”

Communications Data

The committee further criticised the “inconsistent processes and safeguards for the examination of Communications Data”, and the opacity of “arrangement relating to how the Agencies obtain Internet Connection Records (ICRs).”

Different methods for obtaining communications data have resulted in “a variety of different safeguards and authorisation procedures for obtaining and examining the same information.”

An example provided regarding “GCHQ's collection of [related communications data (RCD)] via its Bulk Interception capabilities.”

RCD encompasses all aspects of the communication apart from the actual content. GCHQ does not seek to collect the communications of people in the UK, but some incidental interception is inevitable because the origin of the sender or recipient is not always clear – for example, an email address ending ‘.com’ could belong to a person in the UK. To provide protection for any such material incidentally collected, there is a prohibition on searching for and examining any material that relates to a person known to be in the UK (therefore, even if it is collected, it cannot be examined unless additional authorisation is obtained). However, these safeguards only relate to the content of these communications.The RCD relating to the communications of people in the UK is unprotected if it is collected via Bulk Interception. In direct contrast, if the same material were collected and examined through other means (for example, a direct request to a CSP) then the draft Bill sets out how it must be authorised (i.e. through a Designated Senior Officer). Again, the Agencies may choose to apply the same processes in both circumstances as a matter of policy and good practice, but this is not required by the draft Bill. To leave the safeguards up to the Agencies as a matter of good practice is simply unacceptable: this new legislation is an opportunity to provide clarity and assurance and it fails to do so in this regard.

As such, the draft bill's approach towards communication data examination is “inconsistent and largely incomprehensible” and the committee recommended that the same process for authorising examinations be adopted across the board, and must be “set out on the face of the Bill: it is not sufficient to rely on internal policies or Codes of Practice.”

Furthermore, the committee stated that the provisions in the legislation for the spooks to acquire the mysterious Internet Connection Records from CSPs were misleading: “The Agencies have told the Committee that they have a range of other capabilities which enable them to obtain equivalent data.” The very definition of ICRs has been a continued source of questions, however.

The report will be followed by the Joint Committee, which will be publishing its 400-odd page report on Thursday morning. ®

Similar topics

Other stories you might like

  • Prisons transcribe private phone calls with inmates using speech-to-text AI

    Plus: A drug designed by machine learning algorithms to treat liver disease reaches human clinical trials and more

    In brief Prisons around the US are installing AI speech-to-text models to automatically transcribe conversations with inmates during their phone calls.

    A series of contracts and emails from eight different states revealed how Verus, an AI application developed by LEO Technologies and based on a speech-to-text system offered by Amazon, was used to eavesdrop on prisoners’ phone calls.

    In a sales pitch, LEO’s CEO James Sexton told officials working for a jail in Cook County, Illinois, that one of its customers in Calhoun County, Alabama, uses the software to protect prisons from getting sued, according to an investigation by the Thomson Reuters Foundation.

    Continue reading
  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading

Biting the hand that feeds IT © 1998–2021