The government unlawfully delegated powers to GCHQ to order phone and internet companies to hand over sensitive data on the public, it was claimed in the UK’s most secret court yesterday (12 March 2018).
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
The Investigatory Powers Tribunal heard that, in practice, GHCQ’s officials were responsible for deciding what data to demand from communications companies, despite legal requirements that these decisions should be made by a secretary of state.
A team within GCHQ, known as the sensitive relationship team (SRT), made decisions on what specific data to obtain from telecoms companies and consulted with them on what data they could supply.
This amounted to unlawful delegation of powers from the secretary of state to GCHQ, and undermined the independent oversight that should have been provided by the secretary of state using powers under Section 94 of the Telecommunications Act 1984, the court heard.
“The real decisions seem to have been taken by members of the SRT or those sitting above them in GCHQ,” Thomas de la Mare, representing Privacy International, told the court on the first day of a two-day hearing.
The arrangement had far-reaching implications for the domestic legality of the GCHQ regime and its compliance with Article 8 of the European Convention of Human Rights, the campaign group claimed in legal submissions.
Evidence of the close relationship between communications companies and GCHQ emerged during cross-examination of GCHQ’s deputy director of mission policy – known as witness X – who gave evidence from behind a curtain at a hearing on 26 February 2018.
There were “consensual” arrangements between telecoms companies and GCHQ officials to hand over their customers’ communications data, the court heard.
The SRT sometimes made requests for telecommunications data in writing, but in many cases requests were made verbally and not recorded by GCHQ or the communications companies.
The wording of Section 94 directions disclosed in court implied that requests would be signed either by the director of GCHQ or by a senior member of the SRT, rather than a secretary of state. At least one of the directions gave powers to a nominated GCHQ official to “make, renew, or modify requests”.
Did GCHQ withhold evidence from regulator?
Lawyers for Privacy International questioned whether GCHQ had provided the independent regulator, Stanley Burnton, with full access to its documentation during an audit inspection into Section 94 powers.
Witness X, who was responsible for GCHQ’s legal compliance until January this year, told the tribunal at an earlier hearing that GCHQ had provided Burnton, the interception of communications commissioner, with complete access to the agency’s documentation on Section 94 orders.
In a report published in July 2016, Burnton said GCHQ’s systems were operating properly, that commissioners responsible for independent oversight had made recommendations and GCHQ made changes, and that the oversight systems were working as intended.
But Privacy International told the court that the commissioner could not have reached the conclusions he reached had he read the Section 94 notices and “trigger” letters GCHQ had issued to telecoms and internet companies, which were disclosed to the court.
“What we have learned in the context, in particular from witness X, was that Stanley Burnton was either misled or, if witness X’s evidence is correct, was given the whole package [of information] but did not use it,” said Privacy International’s De la Mare. Either way, he said, the oversight system had failed.
No proper oversight of contractors
Lawyers for the campaigning group told the tribunal there had been no proper independent oversight of contractors working for GCHQ.
The NGO said contractors posed a greater risk to security than permanent members of staff, as they have only made a short-term commitment to the agency, have high levels of access to computers holding sensitive data, and may have in-depth technical knowledge of the systems they are working on.
Witness X initially claimed in written evidence that contractors would only have access to small amounts of test data but would not have systems administrator rights on operational systems.
He changed his evidence three months later, disclosing that GCHQ employed 100 contractors who had administrator rights to GHCQ’s computer systems holding bulk personal datasets – which may include records of the population’s phone calls, mobile phone location data, bank account details and social media use.
A contractor with systems administrator rights could set up a fake account, under a false name, have full access to development tools, then delete the logs. They could also add software to the system and use it to export data, the court heard.
“No matter how agencies try, someone will steal one of these databases and put it on the internet, and someone will be able to look up where anyone has been over the past year,” said Ben Jaffey QC.
Algorithms and machine learning questioned
Privacy International told the court that it was questionable whether the data analysis techniques used by the intelligence services were proportionate in law.
Staff at MI5 and MI6, for example, search through the entire range of bulk datasets held by the agencies – which contain highly sensitive records on individuals – by default, without any assessment of whether such a wide search is justified, Jaffey told the court.
“If I am at MI6 and I need to know someone’s passport number and when they got on a flight, I would come back with far more information than I asked for,” he said.
There had been no independent scrutiny of complex algorithms and machine learning techniques used by the intelligence agencies to sift through intercepted data. They may have built-in biases and may be discriminatory on the grounds of race or sex, Jaffey told the court.
“Let us assume that the algorithm is one that sweeps too widely, it has a tendency to produce information that is of low intelligence value, but tends to breach privacy. If such an algorithm exists, that is disproportionate, how is that to be dealt with?” he said.
Jaffey argued that the IPT should re-open its October 2016 judgment which found that UK intelligence services had been collecting bulk data on the population illegally until 2015.
Evidence disclosed in the case showed that the earliest point bulk data collection could have become legal was September 2017, when the Investigatory Powers Commissioner’s Office (IPCO) was set up as an oversight body under the Investigatory Powers Act, Privacy International told the court.
Secretary of state can delegate to GCHQ
James Eadie, representing the government and the intelligence services, told the court that it was not unlawful for the secretary of state to issue wide-ranging orders to telecoms and internet companies to disclose data and then allow GCHQ officers to decide what subset of that data they wanted.
Secretaries of state have authorised a breadth of data from communications service providers, and GCHQ has asked for a subset of that data. “What has the secretary of state authorised? The greater. It follows as a matter of authority, he also authorised the latter,” he said.
Privacy International said it would invite the tribunal to consider making a costs order against the government to reflect the multiple additional hearings the case has required as a result of the government’s conduct during earlier hearings.