Today, the Intelligence and Security Committee of the British Parliament published a report entitled “Privacy and Security: A modern and transparent legal framework.”  The report is here and the accompanying press statement is here.

The Committee is a statutory committee of Parliament with responsibility for oversight of the UK intelligence community — comprised of the Security Service (MI5), the Secret Intelligence Service (SIS), and the Government Communications Headquarters (GCHQ), known together as, “the Agencies.” It has nine members, from across both Houses of Parliament. It sets its own agenda and work programs.

The Inquiry conducted by the Committee considered:

the range of intrusive capabilities currently available to the Agencies; how those capabilities are used in their investigations; the scale of their use; the extent to which these capabilities intrude on privacy; and the legal authorities and safeguards that constrain and regulate their use.

The Committee’s key recommendation is that the current legal framework should be replaced by a new Act of Parliament governing the Agencies and which “must clearly set out the intrusive powers available to the Agencies, the purposes for which they may use them, and the authorisation required before they may do so.” This recommendation is based on the facts that (1) there is no single piece of legislation governing what the Agencies can and cannot do, and (2) many key capabilities (e.g., exchange of intelligence with international partners) are implicitly authorized rather than defined by statute.

The Report records a range of other findings and recommendations including: 

  • GCHQ’s bulk interception capability is used either to investigate the communications of individuals already known to pose a threat or to generate new intelligence leads — for example to find terrorist plots, cyber attacks, or other threats to national security. The allegation that this capability allows GCHQ to monitor all of the communications carried over the internet is inaccurate. GCHQ does not have the legal authority, the technical capacity, or the resources for such blanket coverage.
  • Of the communications that are intercepted by GCHQ, only a fraction are ever selected to be read by a GCHQ analyst. The current legislative arrangements and practices adequately prevent innocent persons’ communications from being read.
  • Given GCHQ’s power to collect “external communications” and the fact that the pre-existing system is confusing and lacks transparency, the Government must publish an explanation of which communications are regarded as “internal” and which are regarded as “external” (presently defined in statute as one where at least one end is overseas).
  • “Thematic warrants” should be used sparingly and for shorter time scales than standard warrants. Thematic warrants are those covering the targeted interception of the communications of a “defined group or network” (rather than one individual).
  • The most intrusive activities should continue to be authorized by a Ministers and not by judges. This is justified because Ministers are able to take into account the wider context of each warrant application and the risks involved (whereas judges can only decide whether a warrant application is legally compliant) and Ministers are democratically accountable for their decisions.
  • Greater transparency is needed around the number and nature of Section 7 (of the Intelligence Services Act 1994) authorizations. These permit the Secretary of State to sign authorizations removing civil and criminal liability for activity undertaken outside the UK which may otherwise be unlawful under UK law.
  • Future legislation should clearly require the Agencies to have an interception warrant in place before seeking communications from a foreign partner.