There is a "dangerous lack of oversight" of global surveillance networks, Privacy International has said, warning that intelligence-sharing deals could become a way for states to "outsource surveillance".
In a report, Secret Global Surveillance Networks: Intelligence Sharing Between Governments and the Need for Safeguards, published today, the campaign group said that there were "alarming weaknesses" in the oversight arrangements governing intelligence sharing between state agencies.
Privacy International's argument is that – although intelligence sharing is important for national security – it could interfere with fundamental human rights.
NSA: Inside the FIVE-EYED VAMPIRE SQUID of the INTERNETREAD MORE
For instance, it could allow states to circumvent constraints on domestic surveillance, or one agency might receive intelligence that was derived from violations of international law, like torture.
"Without appropriate safeguards, states can use intelligence sharing as a way to outsource surveillance, bypassing domestic constraints on their surveillance activities," Privacy International said.
A particular problem, it said, is the "fundamental accountability challenges" state agencies face, because they "lack control over the actions of their foreign partners". It's hard for them to verify how information will be used in advance, or to substantiate how it was used after the fact – in part because of diplomatic issues.
"These inherent limitations can further facilitate the shirking of accountability over intelligence sharing," the group said. States can fall back on "plausible deniability", and there are few strong incentives for robust inquiries to be made.
Despite international human rights laws requiring that any interference with the right to privacy comes with safeguards – which is generally independent oversight – this is sorely lacking.
"Intelligence sharing between countries is one of the most pervasive but least regulated surveillance practices," said Scarlet Kim, lawyer at Privacy International.
Kim said deals often amounted to an "I'll spy for you if you spy for me" deal, which meant it was vital for governments to ensure their sharing practices were subject to clear and publicly accessible legal frameworks.
"It is equally vital that oversight mechanisms designed to oversee intelligence activities can properly scrutinise intelligence sharing," she said.
In drawing up the report, Privacy International asked the oversight bodies in 42 countries for more information on intelligence sharing regimes and the relevant checks and balances – 21 replied.
Among them, just nine said they had broad or full access to information about intelligence sharing, and just one – the Canadian Communications Security Establishment Commissioner – said spy agencies were required by law to provide it access to intelligence sharing arrangements.
Nine countries said that domestic intelligence agencies have no clear legal obligation to inform them of intelligence-sharing arrangements – these include Estonia, Finland and France.
Snowden leaks LEGALISED GCHQ's 'illegal' dragnet spying, rules British tribunalREAD MORE
Other countries, including Australia and the UK, said that although there weren't explicit provisions requiring intelligence agencies to inform oversight bodies about sharing, they believe they can obtain such information under more general provisions.
Privacy International criticised the fact no countries had powers to authorise decisions to share intelligence; it noted that in a number of countries this process "appears to bypass any independent authority".
Many responses pointed to powers for ex-post monitoring – for instance, their ability to access information, conduct inquiries and publish results. However, the group noted that most of the replies don’t clarify whether the oversight bodies can access information provided by foreign agencies.
Privacy International made a series of recommendations, which Kim said should be seen as a "blueprint" for proper regulation "in lieu of a no-questions-asked approach to exchanging enormous amounts of sensitive personal information with other governments".
These centre around enacting primary legislation governing intelligence sharing, along with transparent internal policies for agencies and beefing up the role of oversight bodies.
Among the specific recommendations are that agencies must gain prior independent authorisation before information is shared with a foreign partner, that they keep audit trails of authorisations, and that there are regular audits of the way foreign partners store, manage and use information.
In addition, there should be publicly available internal policies on intelligence sharing, more training for staff and mechanisms for whistleblowing. ®