Governance & Risk Management , Legislation & Litigation , Privacy

Surveillance Report Demands Transparency

Calls for Rewriting UK Intelligence Law from Scratch
Surveillance Report Demands Transparency

Parliament's intelligence committee has called for a reboot of the regulations that govern Britain's intelligence services, warning that the current approach "is unnecessarily complicated and - crucially - lacks transparency."

See Also: Conversation | Crowdsourced Security and DevOps: A Few Things You Probably Didn't Know

That recommendation is included in a new report, "Privacy and Security: A Modern and Transparent Legal Framework," released by the Intelligence and Security Committee of Parliament. For the past 18 months, the committee has been investigating how the country's intelligence services - MI5, MI6 and GCHQ - have been using their "range of intrusive capabilities."

The investigation was launched in the wake of former U.S. National Security Agency contractor Edward Snowden's leaks, which revealed that massive, bulk data collection programs were being run by the U.S. and its "Five Eyes" surveillance partners, which include Britain's GCHQ - short for Government Communications Headquarters.

The report absolves Britain's intelligence services from any rule-breaking or overreach, saying that they "do not seek to circumvent the law." But the committee also derides the current laws that authorize - and govern - the intelligence services, saying they're unclear and overcomplicated.

"Our key recommendation therefore is that all the current legislation governing the intrusive capabilities of the security and intelligence agencies be replaced by a new, single Act of Parliament," MP and ISC member Hazel Blears said at a March 12 press conference. "We have set out the principles which must underpin this new legal framework. These are based on explicit avowed capabilities, together with the authorization procedures, privacy constraints, transparency requirements, targeting criteria, sharing arrangements, oversight and other safeguards that apply to the use of those capabilities."

In laying out its recommendations, the committee attempted to balance "the individual's right to privacy and our collective right to security," Blears said. She also noted that in the course of its related investigation, the committee gained access to "an unprecedented level of detail about the intrusive capabilities that the agencies use - and in some cases these are capabilities that have not previously been revealed publicly." Most of those capabilities, however, have been redacted from the public version of the report.

Many privacy and civil rights groups reacted to the Parliamentary committee's findings by saying they failed to go far enough. "The ISC's report should have apologized to the nation for their failure to inform Parliament about how far GCHQ's powers have grown," says Jim Killock, executive director of Open Rights Group. "This report fails to address any of the key questions apart from the need to reform our out-of-date surveillance laws. This just confirms that the ISC lacks the sufficient independence and expertise to hold the agencies to account."

Report Dismisses "Blanket Surveillance"

The report also concludes that while GCHQ practices "bulk interception" of communications data, "it does not equate to blanket surveillance, nor does it equate to indiscriminate surveillance." The rationale for that finding hinges not just on data collection, but data review. "GCHQ is not collecting or reading everyone's emails: they do not have the legal authority, the resources or the technical capability to do so."

But the explanation that GCHQ intercepts bulk data - yet isn't practicing mass surveillance - has been questioned by U.K. civil rights group Privacy International. "No amount of technical and legal jargon can obscure the fact that this is a parliamentary committee, in a democratic country, telling its citizens that they are living in a surveillance state," it says in a statement.

The committee's finding also ignores the fact that the U.K.'s surveillance laws remain at odds with the European Court of Justice, which last year ruled that blanket - as opposed to targeted - data retention violates Europeans' right to privacy and protection of their personal information.

Current Intelligence Laws: Opaque

U.K. intelligence agencies are governed by the 1994 Intelligence Services Act, and their surveillance capabilities are regulated by the Regulation of Investigatory Powers Act, or RIPA. But legal experts say the laws are so opaque that they can be - and have been - interpreted however the government might like, to justify its surveillance programs.

Last year, one of Parliament's more tech-literate members, co-founder Martha Lane Fox, warned Parliament that RIPA is "badly understood and arguably dysfunctional." Fox is not a member of Parliament's Intelligence and Security Committee.

Privacy advocate Caspar Bowden, a former chief privacy officer for Microsoft, notes that the Intelligence Services Act "could be misconstrued as providing the agencies with a 'blank check' to carry out whatever activities they deem necessary."

Oversight and Accountability

Privacy International contends that the Snowden revelations - and not action by the Parliament's Intelligence and Security Committee - triggered the current privacy debate. Any new law must address existing problems with "oversight and accountability" for the intelligence services, it says. "Parliament must ensure that the law is fit for purpose, that all powers and actions are explicitly authorized by an independent judiciary and properly overseen to audit use and address any abuse. Otherwise, we will find ourselves in a similar situation years from now without the benefit of a future Edward Snowden to prompt officials to do their jobs."

The Open Rights Group has also called for the nation's intelligence-oversight mechanisms - including the Intelligence and Security Committee itself - to be reformed "so that they are truly independent, accountable to Parliament and have sufficient technical expertise to tackle the technical, legal and ethical issues around surveillance."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.