The British parliament’s Intelligence and Security Committee (ISC) published its report on privacy and security yesterday, following an 18-month inquiry prompted by the Edward Snowden leaks. The report concludes that British intelligence and security agencies “do not seek to circumvent the law,” but finds that the current legal framework governing them is “piecemeal,” “unnecessarily complicated,” and “lack[ing] transparency.”

Shaheed Fatima yesterday provided a helpful overview of the report’s key findings. The Guardian also offers a great summary (including the significant revelation that the agencies have had the capability to examine large personal information databases without statutory oversight). Two aspects of the ISC’s report stand out as particularly problematic, even if the document on a whole is a step in the right direction.

GCHQ’s bulk collection does not constitute mass surveillance

The ISC maintains that GCHQ’s bulk collection systems “cannot … realistically be considered blanket interception.” The report states that the agency has “neither the legal authority, the technical capacity nor the resources” to have “blanket coverage” of all Internet communications. It bases this on the fact that GCHQ can only cover “a fraction of internet communications,” which it attempts to clarify at paragraph 58: GCHQ can theoretically access only a small percentage of the 100,000 “bearers” which make up fiber optic cables that transmit Internet data; resource constraints mean that the agency only accesses a fraction of the bearers that it could theoretically access; and this is further limited by the selection processes for collecting communications that is carried out by the agency. Notably, the percentages are all redacted (but more on the redactions below).

This explanation is unlikely to persuade privacy advocates and others that the bulk collection programs exposed by the Snowden revelations do not amount to mass surveillance. The fact that the exact percentages are blocked out in the report only raises questions over what the ISC regards as “a fraction” of all Internet communications. Moreover, as highlighted by the Open Rights Group, the ISC fails to acknowledge that intelligence sharing agreements with the intelligence agencies of other countries potentially gives GCHQ far greater access to Internet communications than it would have on its own. This is particularly relevant given the ruling of the Investigatory Powers Tribunal last month that GCHQ acted unlawfully in accessing private communications collected by the NSA up until December 2014. Notably, some ex-agency staff have estimated that “95% of all [signals intelligence material] handled at GCHQ is American.” The ISC’s failure to acknowledge this significant reliance on the U.S. for Internet communications calls into question the committee’s defense of GCHQ’s bulk collections programs.

In the context of explaining the filtering rules and selection criteria that are applied to Internet communications which GCHQ can access, the ISC also seeks to maintain a clear distinction between collecting and reading. After explaining how all items collected through the bulk collection systems are targeted in some way, the report states:

“… In practice this means that fewer than *** of ***% of the items that transit the internet in one day are ever selected to be read by a GCHQ analyst. These communications – which only amount to around *** thousand items a day – are only the ones considered to be of the highest intelligence value. Only the communications of suspected criminals or national security targets are deliberately selected for examination.”

While the redacted percentages raise the same questions raised above about the scope of GCHQ’s collection and the amount of data received from allies, it is also disappointing that the ISC does not engage with the wider arguments regarding bulk collection systems. There is no acknowledgment of the widely accepted legal position that systems of mass collection/retention clearly engage the right to privacy. (See for example, the CJEU ruling on the EU Data Retention Directive.)

Transparency and oversight

A key theme of the report is a need for greater transparency from the government about the work of its intelligence and security agencies, including through consolidating legislation and acknowledging the intrusive capabilities of all the agencies. With that in mind, it is a shame that so much of the important detail has been blocked out of the report. The redactions quickly became a source of Twitter ridicule yesterday, see for example:

and

Apart from the heavy redactions, there are worrying admissions that raise questions about how transparent the intelligence agencies are during the oversight process – which, in turn, further discredits the ISC as an effective oversight body. So, for example, in discussing privileged information and the safeguards it should attract, the ISC says it learned about surveillance of lawyer-client communications from newspapers. In reference to the parallel litigation in Belhaj, the ISC learnt of this practice through news reports on Nov. 6 2014, over a year after its inquiry was launched. And it is only after these reports that the ISC “sought and received a full explanation of the facts” from the agencies. As expected, the explanation is redacted.

When the very body that is charged with the oversight of the intelligence services requires leaks on the scale of Edward Snowden’s to launch an inquiry into longstanding surveillance practices, or relies on newspaper reports to learn about the extent of surveillance activities – and when the outcome of an 18-month inquiry raises as many questions as it answers – the time may have come not only for root and branch reform of legislation, but also oversight.