An oversight body has revealed that secretaries of state for the Home Office and the Foreign and Commonwealth Office have issued at least 23 secret orders to telecommunications companies on national security grounds since 2001.
Section 94 allows for UK comms providers to be issued with general "directions" to provide intercepted communications data, purportedly in the interests of national security.
The review reveals that there are 23 ongoing "directions" issued under section 94 that fall within the scope of IOCCO’s oversight. The volume of communications intercepted was not revealed.
Other uses of the power were not investigated, although in a letter to IOCCO, the Prime Minister confirmed that other section 94 "directions" had been issued by the Department for Business, Innovation and Skills, although he stated that the oversight body would not be given the right to oversee these “because they were in the process of being reviewed and would possibly be rescinded". The nature of these directions is a mystery.
The 23 orders that have been issued between 2001 and 2016, and that IOCCO was informed of, all relate to the interception of communications, and were given on behalf of MI5, GCHQ, the three agencies collectively (including MI6) or on behalf of the NCA.
15 of these, given on behalf of MI5 and GCHQ, relate to the acquisition of bulk communications data. The remaining eight, from MI5, MI6, both alongside GCHQ, or the NCA, “relate to the provision of services in emergencies, for civil contingency purposes or to help the agencies in safeguarding the security of their personnel and operations.”
Although it is unconfirmed, among these orders is likely one relating to the phone call interception programme PRESTON, as revealed by The Register last year. IOCCO reported: “In 2015 the Security Service [MI5] made 20,042 applications to access communications data obtained pursuant to section 94 directions. These applications related to 122,579 items of communications data.”
Jo Cavan explained to journalists at a press briefing this morning that each application to access communications was equivalent to an individual query, while the items of communications data would be individual sets of information, such as location data from a particular phone within a particular time period, returned by that query.
“Overall,” IOCCO reported, “we concluded that the Security Service applications that we examined were submitted to an excellent standard and satisfied the principles of necessity and proportionality.”
In terms of GCHQ it drew the conclusion that, “although the selection procedure is careful and conscientiously undertaken both in general and, so far as we were able to judge, by the individuals concerned, the process relies mainly on the professional judgment of analysts, their training and management oversight.”
No authentication process to allow access to bulk comms data
“There is no pre-authorisation or authentication process to allow access to bulk communications data that has already been acquired and retained by the agency under a section 94 direction,” IOCCO revealed.
“GCHQ has however implemented retrospective audit checks,” which includes ex-post facto random audit checks of the analysts’ justifications for the selection of bulk communications data by GCHQ’s Internal Compliance Team. In addition, GCHQ’s IT Security Team conducts technical audits to identify and further investigate any possible unauthorised use.
In IOCCO’s report of last year, Sir Anthony May stated: “Although the retrospective audits are a strong safeguard and also serve to act as a deterrent against malign use, I consider that a number of matters need further thought including whether it might be feasible (or indeed desirable) to introduce some sort of pre-authorisation or authentication process, or whether the retrospective audits could be broadened and enhanced.”
Surveillance and security
In several meetings and audits IOCCO determined how secure the electronic transfer of communications data to the agencies is in the 15 bulk communications directions stated. It established that the data is stored in secure locations, with strongest access controls for staff, and that biannual reviews are undertaken to assess design architecture and physical security.
MI5 “holds the communications data acquired pursuant to a section 94 direction for a period of 365 days, automatically deleting it on a daily basis. GCHQ’s policy is to hold communications data acquired pursuant to section 94 directions for a maximum of 1 year. In practice the retention limit is lower than this, and the data is subject to automated deletion on a daily basis.”
IOCCO reports how “a series of 12-year-old correspondence between Home Office and GCHQ lawyers and a former Commissioner (from 2004) has been disclosed” as part of an ongoing case brought by Privacy International to the Investigatory Powers Tribunal which shows that the Home Office chose to use section 94 orders rather than powers available under RIPA.
At the time Caroline Wilson Palow, general counsel at Privacy International, said the correspondence demonstrated “the government's troubling history of bending the rules to expand its surveillance powers while minimising safeguards.
Section 94, which had concerned many civil liberties campaigners, allows for any secretary of state to issue orders to a public electronic communications network (PECN) as long as those orders appear to that secretary of state “to be necessary in the interests of national security or relations with the government of a country or territory outside the United Kingdom.
Amid outcry resulting from the Snowden revelations the Prime Minister asked IOCCO to “formally oversee directions issues under section 94” which the then commissioner, Sir Anthony May, welcomed as “a good first step towards greater transparency and comprehensive oversight of any directions.”
When the first look-over was taken in IOCCO’s annual report last year, Sir Anthony noted that his office’s “oversight was limited” because it was only concerned with very specific parts of section 94 notices. He added that his office was at the time “prohibited from saying any more about this oversight as the Secretary of State is of the opinion that disclosure would be against the interests set out in section 94(5) of the Telecommunications Act.”
While section 94 of the Telecommunications Act will be repealed by the Investigatory Powers Bill, if that is passed, IOCCO noted that its “review and this report highlight clearly the difficulties when statutes are operated in secret and where there is a lack of statutory codified procedures.”
IOCCO makes nine recommendations throughout the report “which must be implemented to clarify and bring consistency to the procedures in place, remedy the lack of record-keeping requirements and ensure that we are able to undertake our oversight of the giving and use of section 94 directions properly.”
This report meets IOCCO’s half-yearly reporting duties. Its annual report, which will provide statistics on the use of RIPA powers, is set to be published on 21 July. ®