Oversight of GCHQ

“Stronger oversight” is the frequent reply to the concerns raised by the Snowden documents about NSA and GCHQ.  But in UK terms what would more rigorous scrutiny of GCHQ and for that matter, the other Agencies, actually look like?

I wrote a short piece for the Guardian’s Comment is Free but while that is a good platform to get attention, the 800-word limit isn’t enough for more complex nuanced arguments and background explanation.

Inevitably people approach these issues with certain assumptions; you need to know mine and also be able to assess the value of my commentary. 

Assumptions

While my long-term hopes for humankind include permanent world peace and universal honesty, the world in which I live is dominated by competitive, sometimes even aggressive, nation states and an increasing number of non-state global profit-seeking entities based on finance, the supply of ICT services and large-scale manufacture.  There are also many varieties of dishonest and corrupting persons.  That means, alas, the need for intelligence and law enforcement agencies.  In turn these need powers and resources – and much of the investigatory aspects of their work will have to be operationally covert.

As to my qualifications, apart from what you can read on my website,  I have never worked within the intelligence community but I have had many types of contact with various officers from the Agencies since the mid-1990s, largely as a result of my cyber security work.  Between 2003 and 2009 I was on a Panel on Emergency Response run by the then UK Government Chief Scientist during which there was frequent interaction with the Agencies and elements in the Cabinet Office.  I have acted as a Specialist Advisor to a Commons Select Committee and also frequently give evidence to such committees.  You will, I hope,  understand the relevance of all of these experiences later in this post. 


Lost Trust

Trust has been lost in the current mechanisms of oversight:  Interception and Intelligence Commissioners – too limited to simply testing compliance with the Regulation of Investigatory Powers and Intelligence Services Acts (RIPA and ISA);  elected warrant-signing senior politicians – unlikely to have the necessary background to ask the tough questions particularly in relation to the effects of changing technologies,    politically reluctant to challenge the spooks and not really democratically accountable to Parliament as much cannot be fully openly discussed;  the Intelligence and Security Committee (ISC)  - lacking in necessary knowledge and experience and woefully under-resourced to know the right questions. It is difficult to discern, from their published reports,  that they are testing the fundamental assumptions of Ministers and the Agencies about perceived threats and how strategically these are to be met.  There are few references to value-for-money in the various Agency activities.  Nor do they appear to be questioning the quality of the internal procedures of the Agencies.  And there is scant reference to judgements about the impact of changing technologies    

According to Chris Huhne, former Cabinet Minister, but more crucially also a member of the National Security Council, (on its website: “the main forum for collective discussion of the government’s objectives for national security”) he never knew about GCHQ’s Prism and Tempora programs.

Some react with outrage that there should be any issue of questioning the ethics and integrity of the intelligence community.  There are several responses.  First, the main remit of the Agencies is spying and they are assessed on the basis of the value of the “product” and associated assessments.   It is an impossibility that they can simultaneously be the sole arbiter in deciding how far they should go in an intrusion.  Second, however ethical and well-run they are it is inevitable that mistakes in operations and judgements will be made – and with them the temptation to suppress knowledge that they have occurred, if only in the mistaken belief that “trust” would be undermined if imperfections became public.  If we compare the Agencies with the police, who for the most part are believed to behave properly, nevertheless currently there are concerns about Hillsborough, South Wales Police, and undercover policing of demonstrators.  And if we also look at the regular Ministries – the Agencies are part of the civil service – we can also see many mistakes:  Department of Transport in costing the West Coast franchise,  Ministry of Defence with cost over-runs too numerous to mention, Department of Health’s mismanagement and prolonged concealment of the failures of the Connecting for Health system,   Home Office failures in processing immigration requests,  and managing the UK’s borders.  Why would we think that the Agencies are entirely free from these sorts of problems? You have only to read Peter Wright’s Spycatcher to see that in the not-too-distant past very strange views were allowed to feaster in MI5.   Wouldn’t stronger oversight reduce their likelihood or at least publicise them so that corrective action becomes possible?

No Perfect Solution

There is no perfect oversight solution – any new regime will still lack total transparency – and will involve individuals, almost certainly with high levels of security clearance, sitting in secret.

Some specific law reform may be desirable, even necessary - some tightening of  UK and EU Data Protection law and of RIPA and ISA but in this arena, as in many others, clarity in policy aims should precede formulation of wordings for laws.    After a while “law” gives way to “politics”. Even at their best, these laws are only OK for protecting domestic citizens but not foreign individuals, businesses and governments – discovered state spying results in letters of complaint and the expulsion of diplomats, not prosecution.  

In the end who wants to be going to the courts all the time?  The key bits of  RIPA and ISA, to do with Agency remit, will always require flexible interpretation.   Sturdy plausible oversight mechanisms are what are really required.


What are the aims of an oversight mechanism?

Before looking at specific points in the system where oversight can be introduced or developed, we need to think what we want it to do.  The element that appears to be already in place is scrutiny of specific routine operations.  It is the bigger issues that are not covered. 

First among these must be testing current views of “What is the threat?” as everything else, levels of intrusion and expenditure on resources and people, follow.  With fewer than 60 mainland deaths from domestic terrorism since 1989 compared with the 3201 who died in traffic accidents in the single year, 2005, when 52 people died in 7/7, questions must be asked whether terrorism is the persistent existential threat so often used to justify whole-population surveillance.  Or whether, in view of the low evidential requirements to secure prosecutions under the Terrorism Act 2006 – dissemination of terrorist materials, “encouragement”, providing training – there are really large numbers of foiled plots which never come to public attention.  Plainly the traditional diplomatic and military targets of espionage and counter-espionage persist along with their newer cyber variants.   

Next, there is the impact of changing technology.  Yes, one wants GCHQ  to “Master the Internet” but the range and extent of material now available for harvesting plus the ease of large-scale data mining changes the intrusion equation.  Is “you never know all this data might be useful someday” a good enough reason to initiate large schemes for mass collection?  Do we really think that intrusion only occurs when globally collected data is actually searched?  Yes, too there are circumstances when encryption must be broken, but, after Snowden’s revelations,  trust in e-commerce, e-banking and routine business confidentiality precautions, all reliant on crypto and all essential to the economy,  is under threat.     Who understands and tests GCHQ’s judgements on the balance of risk in these matters?

GCHQ cannot be considered apart from its ultra-close relationship with NSA.  But here too there are judgements which can go by the board.  The national interests of the UK and USA are not completely intertwined and there remains the concern that NSA can monitor UK citizens  and businesses as foreigners and pass the results to GCHQ who would otherwise be bound by RIPA – and vice versa.  Should the UK be using US-based cloud services?

Beyond that there is our relationship with other countries – the risks involved in being caught spying on them, or having covert agreements for the siting of Internet probes.

Finally, the public needs re-assurance against abuse.

Scope for improvements exist throughout and beyond the current oversight regime . The Justice and Security Act 2013 already gives some more powers to the ISC  while the Intelligence Services Commissioner’s remit  is extended to cover “any aspect of the functions” of an intelligence service and refers to the implementation or effectiveness of particular policies.



Oversight Agenda

In the agenda for debate set out below I have deliberately designed for some overlap of functions so that there are several semi-competing oversight functions which should act as a mutual check.

• Government to publish annual fact-based national threat assessment rather than the current simplistic references to “moderate”, “substantial” and “severe”

The obvious originator of such a publication appears to be the National Security Council, which in so far as it is not doing so already could borrow ideas from the US National Intelligence Council, responsible for the US Estimates  At the moment the UK  Cabinet Offices publishes a National Risk Register of Civil Emergencies which deals with various threats, natural and deliberate.  It is the public version of a more extensive classified document, the National Risk Assesement.  Something similar,  with historic statistics of terrorism threats in particular would form the basis of public discussion of what counter-measures appeared to be necessary and proportionate.  As an alternative or additional author there is also the Joint Intelligence Committee (JIC) though this entity, once very important, may be being wound down.

• Ministers to retain operational authorisation for Agency activities but warrants for interception, including the broad-based  s 8(4) RIPA “certificated” warrants to be passed for approval to a court; with short-term provision for retrospective warrant-granting in emergencies 

Although Ministers are, in practical terms, not immediately accountable to Parliament as there are nearly always reasons not to make public statements, in a democracy there is no alternative but to have elected individuals responsible for policy. But it seems a mistake to say those persons should necessarily also sign off on warrants. A separate entity, a judge or group of judges, should be tasked with deciding on the necessity and proportionality of specific acts of intrusion within the ministerial policy framework. Such an approach is an improvement on what we have, though there may still be circumstances in which a court over-favours the Agencies – see for example current concerns that the US FISC is misinterpreting the law

• ISC to be a proper Select Committee of Commons and Lords with no pre-nomination by the Prime Minister and preferably with a robust Chair; to have extended semi-permanent staff including a privacy advocate and academic technical experts  not drawn from the intelligence community.   

At the moment the ISC is described as a “Committee of Parliament”, its members are Parliamentarians, members of the Commons and Lords. They are nominated by the Prime Minister in consultation with the Leader of the Opposition and then appointed by Parliament. It is not a Select Committee. The ISC’ s remit: “includes oversight of operational activity and the wider intelligence and security activities of Government. … Other than the three intelligence and security Agencies, the ISC examines the intelligence-related work of the Cabinet Office including: the Joint Intelligence Committee (JIC); the Assessments Staff; and the National Security Secretariat. The Committee also provides oversight of Defence Intelligence in the Ministry of Defence and the Office for Security and Counter-Terrorism in the Home Office.”

The problem with the ISC is not remit but resource and capability. Only two of the current nine members would have had any serious experience of dealing with the Intelligence community, none has much knowledge of changing surveillance and computer technologies. Regular Select Committees rely heavily on the advice of Specialist Advisors, usually recruited from academia to support specific inquiries. In the case of the ISC there is no need for all Specialist Advisors to see everything the Committee sees. Select Committees prefer to have sessions that are open but also frequently have meetings where the public are excluded.

A reformed and extended ISC should also cover the activities of Ministers – as do the departmental Select Committees. It should hold at least one public session a year with the heads of the Agencies and also key Ministers. Ministers as well as the Agencies to provide full candid information in secret sessions. Ministers hould lose their power of vetoing the appearance of Agency Staff before the ISC. All future Annual Reports to cover changing strategic objectives of Agencies, transparency, value for money, impact of technological change, and commentary on intrusion limitation.  The ISC should declare its budget and resources so that they can be seen to be adequate.  There should be powers to demand access without the current limitation of potential ministerial veto. And no-notice visits would also be useful.

• Intelligence Service Commissioner’s remit to extend to reviewing the work of warrant-signing ministers (if that role is retained), to report annually on quality of internal audit within the Agencies, the impact of changing technological facilities and on Agencies’ role in intrusion limitation.  Proper permanent staff resourcing required.  Publication of detail about the types,  purpose and quantity of interception warrants. The Commissioner should declare the size of his budget and resources - so that adequacy can be judged.

• Information Commissioner to have specific role to report on intrusion limitation policies of Agencies and comment on impact on Data Protection policy. 

• GCHQ to follow NSA and appoint a Civil Liberties and Privacy Officer to advise on all aspects of strategy

• GCHQ to review its internal audit facilities so that each intrusive search is recorded together with the justification/authorisation – this facility is essential for any proper external inspection

• ISC,  Intelligence Services Commissioner and Heads of Agencies to adopt a more public profile, engaging in debate both fully in public and at Chatham House Rule-type events

• Better protection for whistle-blowers from within the intelligence community - right of direct access to the ISC.

• The Investigatory Powers Tribunal, currently the ultimate appeal mechanism, to be more transparent and to be made subject to judicial review of its work. 

Some of these are easier to achieve than others – a UK supervising court will need to learn the defects of the US’s FISC, for example.

Snowden’s documents provided detail and confirmation of what had long been suspected by anyone who had read the published books about NSA and GCHQ and then gone onto speculate what those organisations might now be seeking to  do.  Now that some of that detail is in the public domain GCHQ can, paradoxically, be more candid in discussing some of its activities and judgements.  And, rather than concentrating on Snowden’s “traitorous” nature, perhaps achieve greater public support and legitimacy, a view supported by David Omand, one its former Directors and Intelligence Co-ordinator and Stella Rimington, a former MI5 Director.