Reports into Investigatory Powers
June 25, 2015
Mark Field (Cities of London and Westminster) (Con): It would be remiss of me not first to apologise to you, Mr Speaker, and to the Home Secretary for my absence for the earliest part of this debate; I had a long-standing constituency engagement—an occupational hazard of representing a central London seat. Actually, I am having to miss my daughter’s end-of-term ballet show, so I suspect that I will have rather fewer brownie points in my household than the shadow Home Secretary will have in the Balls-Cooper household.
This is anything but routine and uncontroversial business. As someone who served throughout the previous Parliament on the Intelligence and Security Committee, I am fully aware of the intensive work that went into at least one of the reports that we are discussing today. Naturally, it was the Edward Snowden revelations in The Guardian that first led to allegations in the US—we have a close intelligence relationship—that UK Government agencies were engaged in blanket surveillance on the internet. The inherent tension between the individual’s right to privacy and the collective entitlement to security referred to by the right hon. Member for Sheffield, Hallam (Mr Clegg) set the context of all these inquiries.
We looked first at interception. The agencies conduct two types of interception depending on the information they have and what GCHQ, MI5 and MI6 are charged with trying to achieve. The first type can be used as an investigative tool only where there is specific knowledge of a threat, allowing agencies to intercept a specific individual’s communications. That is known as targeted interception. However, as my right hon. and learned Friend the Member for Beaconsfield (Mr Grieve) said, the watchwords of necessity and proportionality lie very much at the heart of everything that our agencies wish to do. If the target is in the UK, the activity must be authorised by the Secretary of State under RIPA. Even the most ardent of privacy campaigners accept that principle of targeted interception.
The second sort of interception arises as a discovery or part of an intelligence-gathering tool. This allows the agencies to use targeted interception only after they have discovered that a threat exists. Such separate capabilities are required in order to uncover threats in the first place so that the agencies can determine patterns and associations that can generate the leads and obtain the information used to target individuals under suspicion. Bulk interception is primarily used as a discovery tool. This capability attracts the most controversy, as we have seen. It has helped to create an impression—misguided, in my view—that GCHQ is monitoring the communications of everyone in the UK. I should make it clear that, if that were the case, GCHQ’s actions would be illegal.
Our Committee rightly scrutinised in great detail the agencies’ capability to intercept internet communications, and we had a number of key findings. First and foremost, bulk interception involves three stages: filtering, targeting, and selection. The first of those involves choosing which communication links are to be accessed. It is worth pointing out that each and every minute the internet carries some 4.1 million Google searches, 6.9 million Facebook messages, 350,000 Twitter posts, and 204 million emails. Most of those communications are carried out through fibre-optic cables that carry bearers, of which there are only about 100,000. GCHQ can theoretically access only a tiny percentage of those bearers. It is therefore misleading to use the phrase “blanket surveillance” for what it does.
The second stage that GCHQ has in mind is to select which communications to collect from the very small number of bearers that it is accessing. A decision is then made on how it collects the communications to read. For communications collected under the first processing system, GCHQ undertakes a so-called triage process to determine which messages have the highest intelligence value. Even when GCHQ knows that communications relate to a known national security target, it does not have the capacity to read them all and must therefore, even within that context, prioritise. This all means that only a very small proportion of collected messages are ever read.
When we scrutinised those arrangements, we found that GCHQ will search for and select communications to examine only on the basis of a selector relating to an individual here in the UK, if—and only if—it first obtains a specific authorisation from a Secretary of State naming that individual. It is unlawful for our security services to search for and examine the communications of someone in the UK without a targeted additional authorisation. Our Committee found that the regulations and safeguards in place were, on the whole, pretty reassuring. That said, as Members will be aware, we made a number of recommendations in order to address concerns about transparency. This was very much mirrored in much of the Anderson report. Anderson was critical about some of the legal framework, of which I will say a little more later, but ultimately he gave the actions of GCHQ very much a clean bill of health.
We also examined the concerns that have been expressed over how the agencies use communications data—the “who, when and where” of a communication. This debate is increasingly complicated by a widespread confusion as to what information is classed as communications data and what is classed as content. There is a grey area involved. For example, looking at information that would not usually be classified as content, but has the potential to reveal a great deal about someone’s private life, should be placed in a special category where more scrutiny is placed on it than there ordinarily would be merely on the basis of its being communications data.
On the other rather intrusive capabilities potentially used by the agencies, the ISC report contains a number of detailed recommendations primarily in relation to specific statutory oversight and greater transparency, where that is possible without damaging national security; that must always be at the forefront of our minds in these matters. The most significant finding in our report, and in the Anderson report, relates, as other Members have rightly pointed out, to the legislative framework that governs the use of all these intrusive capabilities. At present, no single piece of legislation governs the powers and responsibilities of our intelligence and security agencies. The current framework is, as we have heard, complicated and unwieldy. Consolidation is now essential to maintain or sometimes—dare I say it?—to re-establish public confidence.
While we saw no direct evidence that the agencies were in any way seeking to circumvent the law—in truth, their constant watchwords are necessity and proportionality—I am afraid that the lack of clarity in the existing legislation has understandably fuelled suspicion that our security agencies are, on occasion, able to arbitrage the plethora of statutes to choose the easiest route in seeking authorisation. That cannot be a satisfactory situation. I therefore believe that the purposes, functions, capabilities and, importantly, obligations of our security agencies will need to be set out clearly in a single Act of Parliament. Like my right hon. and learned Friend the Member for Beaconsfield, I have some sympathy for the plight that the Home Secretary will face in having to get such a Bill through Parliament. It will be essential, but it will be a complicated matter. It will have to include issues such as privacy constraints, transparency arrangements, targeting criteria, sharing arrangements, and other safeguards that apply to the use of the security agencies’ capabilities.
The single most profound impact of the Snowden revelations has been felt by the global communications service providers. Exposing the hitherto cosy—perhaps over-cosy—relationships that existed between many household-name internet giants and security services and Governments across the world has resulted in a furious insistence from the CSPs that such co-operation must in future be governed by a clear legal framework.
That has potentially very serious implications, especially if there is any demand by globally run CSPs that such protocols should also operate on a global basis. This is, not least, because we have in this country a different culture regarding the security services, with a different framework and understanding of the way in which they operate within our Government compared even with other members of the “Five Eyes”. There is a glaring difference between the average UK citizen’s acceptance of the work of the secret intelligence agencies and the cultural approach taken to such matters in the USA, where there is a great sense of the individual being up against an all-powerful state, and in much of continental Europe. That is understandable. One need only look to my mother’s homeland. For six years of her life, she was brought up in Nazi Germany under the rigours of the Gestapo, and then under the Stasi in East Germany between 1945 and 1954. That has had a very strong bearing on these cultural differences. There is a danger that we in this country, after Bletchley Park and the glamour of James Bond, could be a little complacent about the way in which we view how the security services operate. It is very different in other parts of the world. If there were to be a push towards such global protocols, it would be more difficult to make the case for our exceptionalism.
Mr Grieve: My right hon. Friend makes a powerful case. This is one of the factors that we will have to take into account when we consider whether there might be advantages to judicial warrant systems because they are likely to command more acceptance internationally even if they do not necessarily seem to be required in this country.
Mark Field: I do not entirely agree with that, but I will touch on it in my concluding comments, which I will move on to fairly shortly.
There are potentially serious implications for the operational capabilities of our security services in their counter-terrorism operations. I am struck, however, by the clear irony that the business models of most internet service providers hinge on the exploitation of knowledge from their own user customers, which can then be sold for profit to third party advertisers. The protection of privacy obviously has its limits.
Snowden’s impact has also revolutionised the demand for and the creation of ever more effective encryption, which further and seriously depletes the capabilities of our security services. In the aftermath of the terrorist attacks of 2001 and, more recently, the attacks that took place on the streets of London almost exactly 10 years ago, the conventional wisdom was that public safety could be protected only by ever more sophisticated targeted internet surveillance. The events of recent times mean that it would be unwise to neglect the future importance of developing more traditional security tradecraft. Our security services will need to invest extensively and prudently in agent expertise on the ground, rather than simply relying on ever more sophisticated electronic surveillance expertise.
May I make a final observation on the highly contentious issue of the authorisation of warrants? As has been pointed out, the independent reviewer of terrorism legislation contends that all warrants should be subject to judicial authorisation. I also accept that, in the interests of promoting public confidence, it is now probably necessary that the regime of judicial oversight applying after the event will need substantial bolstering.
We need to remember, however, that it is senior Foreign and Home Office Ministers who are answerable to this House and to Parliament in the event of a major terrorist incident, which invasive surveillance is, of course, designed to prevent. It will be elected politicians, not judges, who will ultimately be accountable to the court of public opinion. Ultimately, therefore, I stand by the ISC’s view that Ministers should authorise warrants. Nevertheless, it is important that senior judges will need to be given a more significant role in scrutinising the operation of the process.
Our intelligence agencies do a very important, and increasingly very challenging, job in what are very difficult times. I believe that the UK public have good cause to maintain confidence in what they do, but I also contend that only greater transparency and scrutiny of their work will improve public understanding and reinforce that sense of confidence.