UK intelligence report on surveillance: findings, recommendations etc

 

Below, hot off the press, are the key findings, conclusions and recommendations  of the ISC report: “Privacy and Security:A modern and transparent legal framework” which was published today. In the meantime, here is an alternative slant on the report by the Open Rights Group and another by Privacy International.

KEY FINDINGS

i. The internet has transformed the way we communicate and conduct our day-to-day
lives. However, this has led to a tension between the individual right to privacy and the
collective right to security, which has been the focus of considerable debate over the past
18 months.

ii. The leak by Edward Snowden of stolen intelligence material in June 2013 led to
allegations regarding the UK Agencies’ use of intrusive capabilities – in particular those
relating to GCHQ’s interception of internet communications. This Committee investigated
the most serious of those allegations – that GCHQ were circumventing UK law – in
July 2013. We concluded that that allegation was unfounded. However, we considered
that a more in-depth Inquiry into the full range of the Agencies’ intrusive capabilities
was required – not just in terms of how they are used and the scale of that use, but also
the degree to which they intrude on privacy and the extent to which existing legislation
adequately defines and constrains these capabilities.

iii. All those who contributed to this Inquiry agreed that the intelligence and security
Agencies have a crucial role protecting UK citizens from threats to their safety. The UK
intelligence and security Agencies (MI5, SIS and GCHQ) exist to protect the country from
threats and to obtain intelligence in the interests of the UK’s national security or economic
well-being and for the detection and prevention of serious crime. The importance of this
work is reflected in the fact that Parliament has provided the Agencies with a range of
intrusive powers which they use to generate leads, to discover threats, to identify those
who are plotting in secret against the UK and to track those individuals.

iv. However, in a democratic society those powers cannot be unconstrained: limits
and safeguards are essential. First and foremost, the Agencies are public bodies and
therefore everything they do must be in accordance with the Human Rights Act 1998
(which incorporates the European Convention on Human Rights into UK law). While
the Agencies work to protect our national security, they must do so while upholding our
basic human rights. Some rights are not absolute: the right to privacy, for example, is a
qualified right – as all the witnesses to our Inquiry accepted – which means that there may
be circumstances in which it is appropriate to interfere with that right. In the UK, the legal
test is that action can be taken which intrudes into privacy only where it is for a lawful
purpose and it can be justified that it is necessary and proportionate to do so. The question
that we have considered in relation to each of the Agencies’ capabilities is whether the
intrusion it entails is justified and whether the safeguards are sufficient.

v. Our Inquiry has involved a detailed investigation into the intrusive capabilities
that are used by the UK intelligence and security Agencies. This Report contains an
unprecedented amount of information about those capabilities, including how they are
used, the legal framework that regulates their use, the authorisation process, and the
oversight and scrutiny arrangements that apply. For ease of reference, we have included
an overview of the Report in the next chapter and below we summarise our key findings:

• We are satisfied that the UK’s intelligence and security Agencies do not seek
to circumvent the law – including the requirements of the Human Rights
Act 1998, which governs everything that the Agencies do.
• However, that legal framework has developed piecemeal, and is
unnecessarily complicated. We have serious concerns about the resulting
lack of transparency, which is not in the public interest.
• Our key recommendation therefore is that the current legal framework
be replaced by a new Act of Parliament governing the intelligence and
security Agencies. This must clearly set out the intrusive powers available to
the Agencies, the purposes for which they may use them, and the
authorisation required before they may do so.
• Our Report also contains substantial recommendations about each of the
Agencies’ intrusive capabilities, which we consider are essential to improve
transparency, strengthen privacy protections and increase oversight.
• We have scrutinised GCHQ’s bulk interception capability in particular
detail, since it is this that has been the focus of recent controversy:
Our Inquiry has shown that the Agencies do not have the legal authority,
the resources, the technical capability, or the desire to intercept every
communication of British citizens, or of the internet as a whole: GCHQ
are not reading the emails of everyone in the UK.

GCHQ’s bulk interception systems operate on a very small percentage
of the bearers that make up the internet. We are satisfied that they
apply levels of filtering and selection such that only a certain amount
of the material on those bearers is collected. Further targeted searches
ensure that only those items believed to be of the highest intelligence
value are ever presented for analysts to examine: therefore only a tiny
fraction of those collected are ever seen by human eyes.

The current legal framework of external and internal communications
has led to much confusion. However, we have established that bulk
interception cannot be used to target the communications of an
individual in the UK without a specific authorisation naming that
individual, signed by a Secretary of State.

While these findings are reassuring, they nevertheless highlight the
importance of a new, transparent legal framework. There is a legitimate
public expectation of openness and transparency in today’s society, and the
intelligence and security Agencies are not exempt from that.

ANNEX: FULL LIST OF CONCLUSIONS AND
RECOMMENDATIONS

A. The targeted interception of communications (primarily in the UK) is an essential
investigative capability which the Agencies require in order to learn more about
individuals who are plotting against the UK. In order to carry out targeted interception,
the Agencies must apply to a Secretary of State for a warrant under Section 8(1) of RIPA.
From the evidence the Committee has seen, the application process followed by MI5 is
robust and rigorous. MI5 must provide detailed rationale and justification as to why it is
necessary and proportionate to use this capability (including, crucially, an assessment of
the potential collateral intrusion into the privacy of innocent people).

B. GCHQ and SIS obtain fewer 8(1) warrants. When they do apply for such warrants,
they do so via a submission to the Foreign Secretary. While this submission covers
those aspects required by law, it does not contain all the detail covered by MI5’s warrant
applications. We therefore recommend that GCHQ and SIS use the same process as MI5
to ensure that the Home Secretary and the Foreign Secretary receive the same level of
detail when considering an 8(1) warrant application.

C. RIPA expressly prohibits any reference to a specific interception warrant. We do not
consider this is proportionate: disclosure should be permissible where the Secretary of
State considers that this could be done without damage to national security.

D. The Agencies have described ‘thematic warrants’ as covering the targeted interception
of the communications of a “defined group or network” (as opposed to one individual).
The Committee recognises that such warrants may be necessary in some limited
circumstances. However, we have concerns as to the extent that this capability is used
and the associated safeguards. Thematic warrants must be used sparingly and should be
authorised for a shorter timescale than a standard 8(1) warrant.

E. There are other targeted techniques the Agencies can use which also give them
access to the content of a specific individual’s communications. However, the use of
these capabilities is not necessarily subject to the same rigour as an 8(1) warrant, despite
providing them with the same result. All capabilities which provide the content of an
individual’s communications should be subject to the same legal safeguards, i.e. they must
be authorised by a Secretary of State and the application to the Minister must specifically
address the Human Rights Act ‘triple test’ of legality, necessity and proportionality.

F. GCHQ’s bulk interception capability is used either to investigate the communications
of individuals already known to pose a threat, or to generate new intelligence leads, for
example to find terrorist plots, cyber attacks or other threats to national security. It has
been alleged – inaccurately – that this capability allows GCHQ to monitor all of the
communications carried over the internet. GCHQ could theoretically access a small
percentage (***%) of the 100,000 bearers which make up the internet, but in practice they
access only a fraction of these (***%) – we detail below the volume of communications
collected from these bearers. GCHQ do not therefore have ‘blanket coverage’ of all
internet communications, as has been alleged – they have neither the legal authority, the
technical capacity nor the resources to do so.

G. It has been suggested that GCHQ’s bulk interception is indiscriminate. However, one
of the major processes by which GCHQ conduct bulk interception is targeted. GCHQ
first choose the bearers to access (a small proportion of those they can theoretically
access) and then use specific selectors, related to individual targets, in order to collect
communications from those bearers. This interception process does not therefore collect
communications indiscriminately.

H. The second bulk interception process we have analysed involves the *** collection
of large quantities of communications. ***. However, this collection is not indiscriminate.
GCHQ target only a small proportion of those bearers they are able to access. The
processing system then applies a set of selection rules and, as a result, automatically
discards the majority of the traffic on the targeted bearers.

I. There is a further filtering stage before analysts can select any communications to
examine or read. This involves complex searches to draw out communications most
likely to be of greatest intelligence value and which relate to GCHQ’s statutory functions.
These searches generate an index. Only items contained in this index can potentially be
examined – all other items cannot be searched for, examined or read.

J. Our scrutiny of GCHQ’s bulk interception via different methods has shown that
while they collect large numbers of items, these have all been targeted in some way.
Nevertheless, it is unavoidable that some innocent communications may have been
incidentally collected. The next stage of the process – to decide which of the items
collected should be examined – is therefore critical. For one major method, a ‘triage’
process means that the vast majority (***%) of the items collected are never looked at by
an analyst. For another major method, the analysts use the search results to decide which of
the communications appear most relevant and examine only a tiny fraction (***%) of the
items that are collected. In practice this means that fewer than *** of ***% of the items
that transit the internet in one day are ever selected to be read by a GCHQ analyst. These
communications – which only amount to around *** thousand items a day – are only
the ones considered to be of the highest intelligence value. Only the communications of
suspected criminals or national security targets are deliberately selected for examination.

K. It is essential that the Agencies can ‘discover’ unknown threats. This is not just about
identifying individuals who are responsible for threats, it is about finding those threats in
the first place. Targeted techniques only work on ‘known’ threats: bulk techniques (which
themselves involve a degree of filtering and targeting) are essential if the Agencies are to
discover those threats.

L. We are satisfied that current legislative arrangements and practice are designed to
prevent innocent people’s communications being read. Based on that understanding, we
acknowledge that GCHQ’s bulk interception is a valuable capability that should remain
available to them.

M. While we recognise privacy concerns about bulk interception, we do not subscribe
to the point of view that it is acceptable to let some terrorist attacks happen in order
to uphold the individual right to privacy – nor do we believe that the vast majority of
the British public would. In principle it is right that the intelligence Agencies have this
capability, provided – and it is this that is essential – that it is tightly controlled and subject
to proper safeguards.

N. Bulk interception is conducted on external communications, which are defined
in law as communications either sent or received outside the UK (i.e. with at least one
‘end’ of the communication overseas). The collection of external communications is
authorised under 19 warrants under Section 8(4) of RIPA. These warrants – which cover
the Communications Service Providers who operate the bearers – do not authorise the
examination of those communications, only their collection. The warrants are therefore
all accompanied by a Certificate which specifies which of the communications collected
under the warrant may be examined. GCHQ are not permitted by law to examine the
content of everything they collect, only that material which falls under one of the categories
listed in the Certificate. In the interests of transparency we consider that the Certificate
should be published.

O. 8(4) warrants allow GCHQ to collect ‘external communications’ – these are defined
in RIPA as communications where at least one end is overseas. However, in respect of
internet communications, the current system of ‘internal’ and ‘external’ communications
is confusing and lacks transparency. The Government must publish an explanation of
which internet communications fall under which category, and ensure that this includes
a clear and comprehensive list of communications.

P. The legal safeguards protecting the communications of people in the UK can be
summarised as follows:
• The collection and examination of communications with both ends known to be
in the UK requires an 8(1) warrant.
• All other communications can be collected under the authority of an 8(4)
warrant.
• Of these, GCHQ may search for and select communications to examine on the
basis of a selector (e.g. email address) of an individual overseas – provided that
their reason for doing so is one or more of the categories described in the 8(4)
Certificate.
• GCHQ may search for and select communications to examine on the basis of
a selector (e.g. email address) of an individual in the UK if – and only if – they
first obtain separate additional authorisation from a Secretary of State in the
form of an 8(1) warrant or a Section 16(3) modification to the 8(4) warrant.
• It would be unlawful for GCHQ to search for communications related to
somebody known to be in the UK among those gathered under an 8(4) warrant
without first obtaining this additional Ministerial authorisation.

This is reassuring: under an 8(4) warrant the Agencies can examine communications
relating to a legitimate overseas target, but they cannot search for the communications of
a person known to be in the UK without obtaining specific additional Ministerial
authorisation.

Q. The nature of the 16(3) modification system is unnecessarily complex and does
not provide the same rigour as that provided by an 8(1) warrant. We recommend that
despite the additional resources this would require – searching for and examining the
communications of a person known to be in the UK should always require a specific
warrant, authorised by a Secretary of State.

R. While the protections outlined above apply to people in the UK, they do not
apply to UK nationals abroad. While GCHQ operate a further additional system of
authorisations, this is a policy process rather than a legal requirement. We consider that
the communications of UK nationals should receive the same level of protection under
the law, irrespective of where the person is located. The interception and examination of
such communications should therefore be authorised through an individual warrant like
an 8(1), signed by a Secretary of State. While we recognise this would be an additional
burden for the Agencies, the numbers involved are relatively small and we believe it would
provide a valuable safeguard for the privacy of UK citizens.

S. While the law sets out which communications may be collected, it is the selection
of the bearers, the application of simple selectors and initial search criteria, and the
complex searches which determine what communications are read. The Interception of
Communications Commissioner should be given statutory responsibility to review the
various selection criteria used in bulk interception to ensure that these follow directly
from the Certificate and valid national security requirements.

T. From the evidence we have seen, there are safeguards in place to ensure that analysts
examine material covered by the 8(4) Certificate only where it is lawful, necessary and
proportionate to do so. GCHQ’s search engines are constructed such that there is a clear
audit trail, which may be reviewed both internally and by the Interception of
Communications Commissioner. Nevertheless, we were concerned to learn that, while
misuse of GCHQ’s interception capabilities is unlawful, it is not a specific criminal
offence. We strongly recommend that the law should be amended to make abuse of
intrusive capabilities (such as interception) a criminal offence.

U. In our 2013 Report on the draft Communications Data Bill, we concluded that
“it is essential that the Agencies maintain the ability to access Communications Data”.
The Committee remains of that view: it is a critical capability.

V. The Committee considers that the statutory definition of Communications Data – the
‘who, when and where’ of a communication – is narrowly drawn and therefore, while the
volume of Communications Data available has made it possible to build a richer picture
of an individual, this remains considerably less intrusive than content. We therefore do not
consider that this narrow category of Communications Data requires the same degree of
protection as the full content of a communication.

W.However, there are legitimate concerns that certain categories of Communications
Data – what we have called ‘Communications Data Plus’ – have the potential to reveal
details about a person’s private life (i.e. their habits, preferences and lifestyle) that are
more intrusive. This category of information requires greater safeguards than the basic
‘who, when and where’ of a communication.

X. The Agencies use Bulk Personal Datasets – large databases containing personal
information about a wide range of people – to identify individuals in the course of
investigations, to establish links, and as a means of verifying information obtained
through other sources. These datasets are an increasingly important investigative tool
for the Agencies. The Intelligence Services Act 1994 and the Security Service Act 1989
provide the legal authority for the acquisition and use of Bulk Personal Datasets. However,
this is implicit rather than explicit. In the interests of transparency, we consider that this
capability should be clearly acknowledged and put on a specific statutory footing.

Y. The Intelligence Services Commissioner currently has responsibility for overseeing
the Agencies’ acquisition, use and destruction of Bulk Personal Datasets. This is currently
on a non-statutory basis. Given that this capability may be highly intrusive and impacts
upon large numbers of people, it is essential that it is tightly regulated. The Commissioner’s
role in this regard must therefore be put on a statutory footing.

Z. The Agencies conduct both ‘Intrusive Surveillance’ (typically inside a private
residence or vehicle) and ‘Directed Surveillance’ (typically conducted in public places).
These are targeted capabilities, involving considerable resources, and as a consequence
are used sparingly.

AA. Where the Agencies interfere with property and wireless telegraphy in the UK,
they obtain specific Ministerial authority in the form of a warrant under Section 5 of
the Intelligence Services Act 1994. However, we note that in certain circumstances the
Agencies gain access to an SoI’s property under the authority of another organisation’s
warrant. This practice – while legal – should be subject to greater oversight by both
Ministers and the Intelligence Services Commissioner.

BB. While intrusive action within the UK requires a Ministerial warrant, outside the UK
it is authorised by use of a Class Authorisation under the Intelligence Services Act 1994.
However, the Agencies do not all keep detailed records of operational activity conducted
under these Class Authorisations. It is essential that they keep comprehensive and accurate
records of when they use these powers. It is unacceptable not to record information on
intrusive action.

CC. The Agencies may undertake IT Operations against computers or networks in order
to obtain intelligence. These are currently categorised as ‘Interference with Property’ and
authorised under the same procedure. Given the growth in, and intrusiveness of, such
work we believe consideration should be given to creating a specific authorisation regime.

DD. GCHQ need to be able to read the encrypted communications of those who might
pose a threat to the UK. We recognise concerns that this work may expose the public to
greater risk and could have potentially serious ramifications (both political and economic).
We have questioned GCHQ about the risks of their work in this area. They emphasised that
much of their work is focused on improving security online. In the limited circumstances
where they do *** they would only do so where they are confident that it could not be
***. However, we are concerned that such decisions are only taken internally: Ministers
must be kept fully informed of all such work and specifically consulted where it involves
potential political and economic risks.

EE. The Agencies have put in place internal policy guidance governing the processes
and safeguards to be applied when recruiting and running agents, and detailed training
to their agents about what they can and cannot do. We nevertheless consider that more
should be done to assure the public that, where the Agencies ‘sub-contract’ intrusive
activity to their agents, those agents must adhere to the same ethical standards as the
Agencies themselves, and abide by the same legal framework. The Government should
therefore set out a clear and transparent ethical framework describing the conduct that is
expected of anyone whom the Agencies engage as an agent.

FF. In relation to the activities that we have considered thus far, those which are most
intrusive are authorised by a Secretary of State. Some witnesses questioned whether
Ministers had sufficient time and independence and suggested that the public had lost trust
and confidence in elected politicians to make those decisions. The Committee recognises
these concerns. However, one aspect which we found compelling is that Ministers are able
to take into account the wider context of each warrant application and the risks involved,
whereas judges can only decide whether a warrant application is legally compliant. This
additional hurdle would be lost if responsibility were to be transferred to judges and may
indeed result in more warrant applications being authorised.

GG. In addition, Ministers are democratically accountable for their decisions. It is
therefore right that responsibility for authorising warrants for intrusive activities remains
with them. It is Ministers, not judges, who should (and do) justify their decisions to the
public. (We consider later the need for greater transparency: the more information the
public and Parliament have, the more Ministers will be held to account.)

HH. Intrusive capabilities which fall below the threshold requiring a warrant are
authorised by officials within the relevant Agency or department. While this is appropriate,
there should always be a clear line of separation within the Agencies between investigative
teams who request approval for a particular activity, and those within the Agency who
authorise it. Further, those capabilities that are authorised by officials should be subject
to greater retrospective review by the Commissioners to ensure that these capabilities
are being authorised appropriately and compensate for the lack of individual Ministerial
Authorisation in these areas.

II. The Commissioners’ responsibilities have increased as the Agencies’ capabilities
have developed. However, this has been piecemeal and as a result a number of these
responsibilities are currently being carried out on a non-statutory basis. This is
unsatisfactory and inappropriate (as the Commissioners themselves recognise). The
Commissioners’ non-statutory functions must be put on a clear statutory footing.

JJ. Throughout this Report, we have recommended an increased role for the
Commissioners – in particular, where capabilities are authorised at official level. While
this would require additional resources, it would mean that the Commissioners could look
at a much larger sample of authorisations.

KK. While oversight systems in other countries include an Inspector General function,
we note that Inspectors General often provide more of an internal audit function, operating
within the Agencies themselves. As such, the Committee does not accept the case for
transferring to this system: it is important to maintain the external audit function that the
Commissioners provide.

LL. The Investigatory Powers Tribunal is an important component of the accountability
structure. However, we recognise the importance of a domestic right of appeal and
recommend that this is addressed in any new legislation.

MM. The Intelligence Services Act 1994 and the Security Service Act 1989 provide the
legal basis for the Agencies’ activities, and broad general powers to act in accordance with
their statutory functions and purposes. We have concerns about the lack of transparency
surrounding these general powers, which could be misconstrued as providing the Agencies
with a ‘blank cheque’ to carry out whatever activities they deem necessary. We therefore
recommend that the Agencies’ powers are set out clearly and unambiguously.

NN. We are reassured that the Human Rights Act 1998 acts as a constraint on all the
Agencies’ activities. However, this safeguard is not evident to the public since it is not set
out explicitly in relation to each intrusive power. The interactions between the different
pieces of legislation which relate to the statutory functions of the intelligence and security
Agencies are absurdly complicated, and are not easy for the public to understand (we
address the requirement for a clearer legal framework later in this chapter).

OO. Section 7 of the Intelligence Services Act 1994 allows for a Secretary of State to
sign an authorisation which removes civil and criminal liability for activity undertaken
outside the British Islands which may otherwise be unlawful under UK law. We have
examined the Class Authorisations allowed under ISA in detail and are satisfied that they
are required in order to allow the Agencies to conduct essential work. Nevertheless, that
may involve intruding into an individual’s private life, and consideration should therefore
be given to greater transparency around the number and nature of Section 7 Authorisations.

PP. We consider that Ministers must be given greater detail as to what operations are
carried out under each Class Authorisation: a full list should be provided every six months.
We also recommend that Ministers provide clear instructions as to what operations they
would expect to be specifically consulted on, even if legally no further authorisation
would be required.

QQ. Under the Intelligence Services Act 1994 and Security Service Act 1989, the
Agencies are legally authorised to seek intelligence from foreign partners. However, there
are currently no legal or regulatory constraints governing how this is achieved.

RR. We have explored in detail the arrangements by which GCHQ obtain raw intercept
material from overseas partners. We are satisfied that, as a matter of both policy and
practice, GCHQ would only seek such material on individuals whom they themselves are
intercepting – therefore there would always be a RIPA warrant in place already.

SS. We recognise that GCHQ have gone above and beyond what is required in the
legislation. Nevertheless, it is unsatisfactory that these arrangements are implemented as
a matter of policy and practice only. Future legislation should clearly require the Agencies
to have an interception warrant in place before seeking communications from a foreign
partner.

TT. The safeguards that apply to the exchange of raw intercept material with international
partners do not necessarily apply to other intelligence exchanges, such as analysed
intelligence reports. While the ‘gateway’ provisions of the Intelligence Services Act and
the Security Service Act do allow for this, we consider that future legislation must define
this more explicitly and, as set out above, define the powers and constraints governing
such exchanges.

UU. The Committee does not believe that sensitive professions should automatically
have immunity when it comes to the interception of communications. However, some
specific professions may justify heightened protection. While the Agencies all operate
internal safeguards, we consider that statutory protection should be considered (although
we acknowledge that it may be difficult to define certain professions).

VV. Given the nature of current threats to the UK, the use of Directions under the
Telecommunications Act is a legitimate capability for the Agencies. However, the current
arrangements in the Telecommunications Act 1984 lack clarity and transparency, and
must be reformed. This capability must be clearly set out in law, including the safeguards
governing its use and statutory oversight arrangements.

WW. While our previous recommendations relate to the changes that would be required
to the existing legislative framework, the evidence that we have seen suggests that a more
fundamental review is now overdue.

XX. The Committee considers that the Government should introduce a new Intelligence
Services Bill setting out, in one Act of Parliament, the functions of the three UK
intelligence and security Agencies. This should consolidate the intelligence and security
related provisions of the following legislation: Security Service Act 1989; Intelligence Services Act 1994; Regulation of Investigatory Powers Act 2000; Wireless Telegraphy Act 2006; Telecommunications Act 1984; Counter-Terrorism Act 2008; and the relevant provisions of other legislation as appropriate.

YY. The new legislation should clearly list each intrusive capability available to the
Agencies (including those powers which are currently authorised under the implicit
authorities contained in the Intelligence Services Act and the Security Service Act) and,
for each, specify:

a. The purposes for which the intrusive power can be used (one or more of: the
protection of national security, the safeguarding of the economic well-being
of the UK, or the detection or prevention of serious crime).
b. The overarching human rights obligations which constrain its use.
c. Whether the capability may be used in pursuit of a specific person, location
or target, or in relation to a wider search to discover unknown threats.
d. The authorisation procedures that must be followed, including the review,
inspection and oversight regime.
e. Specific safeguards for certain individuals or categories of information – for
example, UK nationals, legally privileged information, medical information etc. (This should include incidental collection where it could not reasonably have been foreseen that these categories of information or individuals might
be affected.)
f. Retention periods, storage and destruction arrangements for any information
obtained.
g. The circumstances (including the constraints that might apply) in which any
intelligence obtained from that capability may be shared with intelligence,
law enforcement or other bodies in the UK, or with overseas partners.
h. The offence which would be committed by Agency personnel abusing that
capability.

i. The transparency and reporting requirements.

ZZ. In terms of the authorisation procedure, the following principles should apply:

a. The most intrusive activities must always be authorised by a Secretary of
State.
b. When considering whether to authorise the activity, the Secretary of State
must take into account, first, legal compliance and, if this is met, then the
wider public interest.
c. All authorisations must include a summary of the expected collateral
intrusion, including an estimate of the numbers of innocent people who may
be impacted, and the extent to which the privacy of those innocent people will
be intruded upon.
d. Any capability or operation which would result in significant collateral
intrusion must be authorised by a Secretary of State.
e. All authorisations must be time limited (usually for no longer than six months).
f. Where an authorisation covers classes of activity conducted overseas, this
must include the requirements for recording individual operations conducted
under those authorisations, and the criteria for seeking separate Ministerial
approval.
g. Where intelligence is sought from overseas partners, the same authorisation
must be obtained as if the intrusive activity was undertaken by the UK Agency
itself.
h. Where unsolicited material is received, the circumstances in which it may
be temporarily held and assessed, and the arrangements for obtaining
retrospective authority (or where authority is not given, destruction of the
material) must be explicitly defined.

AAA. In relation to communications, given the controversy and confusion around
access to Communications Data, we believe that the legislation should clearly define the
following terms:

‘Communications Data’ should be restricted to basic information about
a communication, rather than data which would reveal a person’s habits,
preferences or lifestyle choices. This should be limited to basic information
such as identifiers (email address, telephone number, username, IP address),
dates, times, approximate location, and subscriber information.

‘Communications Data Plus’ would include a more detailed class of information
which could reveal private information about a person’s habits, preferences
or lifestyle choices, such as websites visited. Such data is more intrusive and
therefore should attract greater safeguards.

‘Content-Derived Information’ would include all information which the
Agencies are able to generate from a communication by analysing or processing
the content. This would continue to be treated as content in the legislation.

BBB. The Committee has identified a number of areas where we believe there is scope
for the Government to be more transparent about the work of the Agencies. The first
step – as previously set out – is to consolidate the relevant legislation and avow all of the
Agencies’ intrusive capabilities. This will, in itself, be a significant step towards greater
transparency. Where it is not practicable to specify the detail of certain arrangements
in legislation, the Government must nevertheless publish information as to how these
arrangements will work (for example, in Codes of Practice). We recognise that much of
the detail regarding the Agencies’ capabilities must be kept secret. There is, however, a
great deal that can be discussed publicly and we believe that the time has come for much
greater openness and transparency regarding the Agencies’ work.