The following report from the U.K. Intelligence and Security Committee of Parliament on mass surveillance activities conducted by the Government Communications Headquarters (GCHQ) was released March 12, 2015. Throughout the report, an ellipsis indicated by a set of three asterisks “***” is used to indicate that information has been redacted.
Privacy and Security: A modern and transparent legal framework
i. The internet has transformed the way we communicate and conduct our day-to-day lives. However, this has led to a tension between the individual right to privacy and the collective right to security, which has been the focus of considerable debate over the past 18 months.
ii. The leak by Edward Snowden of stolen intelligence material in June 2013 led to allegations regarding the UK Agencies’ use of intrusive capabilities – in particular those relating to GCHQ’s interception of internet communications. This Committee investigated the most serious of those allegations – that GCHQ were circumventing UK law – in July 2013. We concluded that that allegation was unfounded. However, we considered that a more in-depth Inquiry into the full range of the Agencies’ intrusive capabilities was required – not just in terms of how they are used and the scale of that use, but also the degree to which they intrude on privacy and the extent to which existing legislation adequately defines and constrains these capabilities.
iii. All those who contributed to this Inquiry agreed that the intelligence and security Agencies have a crucial role protecting UK citizens from threats to their safety. The UK intelligence and security Agencies (MI5, SIS and GCHQ) exist to protect the country from threats and to obtain intelligence in the interests of the UK’s national security or economic well-being and for the detection and prevention of serious crime. The importance of this work is reflected in the fact that Parliament has provided the Agencies with a range of intrusive powers which they use to generate leads, to discover threats, to identify those who are plotting in secret against the UK and to track those individuals.
iv. However, in a democratic society those powers cannot be unconstrained: limits and safeguards are essential. First and foremost, the Agencies are public bodies and therefore everything they do must be in accordance with the Human Rights Act 1998 (which incorporates the European Convention on Human Rights into UK law). While the Agencies work to protect our national security, they must do so while upholding our basic human rights. Some rights are not absolute: the right to privacy, for example, is a qualified right – as all the witnesses to our Inquiry accepted – which means that there may be circumstances in which it is appropriate to interfere with that right. In the UK, the legal test is that action can be taken which intrudes into privacy only where it is for a lawful purpose and it can be justified that it is necessary and proportionate to do so. The question that we have considered in relation to each of the Agencies’ capabilities is whether the intrusion it entails is justified and whether the safeguards are sufficient.
v. Our Inquiry has involved a detailed investigation into the intrusive capabilities that are used by the UK intelligence and security Agencies. This Report contains an unprecedented amount of information about those capabilities, including how they are used, the legal framework that regulates their use, the authorisation process, and the oversight and scrutiny arrangements that apply. For ease of reference, we have included
an overview of the Report in the next chapter and below we summarise our key findings:
• We are satisfied that the UK’s intelligence and security Agencies do not seek to circumvent the law – including the requirements of the Human Rights Act 1998, which governs everything that the Agencies do.
• However, that legal framework has developed piecemeal, and is unnecessarily complicated. We have serious concerns about the resulting lack of transparency, which is not in the public interest.
• Our key recommendation therefore is that the current legal framework be replaced by a new Act of Parliament governing the intelligence and security Agencies. This must clearly set out the intrusive powers available to the Agencies, the purposes for which they may use them, and the authorisation required before they may do so.
• Our Report also contains substantial recommendations about each of the Agencies’ intrusive capabilities, which we consider are essential to improve transparency, strengthen privacy protections and increase oversight.
• We have scrutinised GCHQ’s bulk interception capability in particular detail, since it is this that has been the focus of recent controversy:
– Our Inquiry has shown that the Agencies do not have the legal authority, the resources, the technical capability, or the desire to intercept every communication of British citizens, or of the internet as a whole: GCHQ are not reading the emails of everyone in the UK.
– GCHQ’s bulk interception systems operate on a very small percentage of the bearers2 that make up the internet. We are satisfied that they apply levels of filtering and selection such that only a certain amount of the material on those bearers is collected. Further targeted searches ensure that only those items believed to be of the highest intelligence value are ever presented for analysts to examine: therefore only a tiny fraction of those collected are ever seen by human eyes.
– The current legal framework of external and internal communications has led to much confusion. However, we have established that bulk interception cannot be used to target the communications of an individual in the UK without a specific authorisation naming that individual, signed by a Secretary of State.
• While these findings are reassuring, they nevertheless highlight the importance of a new, transparent legal framework. There is a legitimate public expectation of openness and transparency in today’s society, and the intelligence and security Agencies are not exempt from that.
65. Another major processing system by which GCHQ may collect communications is ***, where GCHQ are looking to match much more complicated criteria with three or four elements, for example. Unlike the simple selectors used in the first process, this technique requires ***.
66. This process operates across a far smaller number of bearers – GCHQ choose just *** of the bearers out of those they can theoretically access. These bearers are not chosen at random: they are deliberately targeted as those most likely to carry communications of intelligence interest. (For example, GCHQ are currently targeting bearers likely to be carrying communications of ***.)
67. As a first step in the processing under this method, ***. *** the system applies a set of ‘selection rules’. As of November 2014, there were *** selection rules. ***. Examples of these initial selection rules are:
• include ***;
• include ***; and
• discard communications ***.
As a result of this selection stage, the processing system automatically discards the majority (***) of the traffic on the targeted bearers. The remainder is collected ***.61 These communications are the ones that GCHQ consider most likely to contain items of intelligence value