Feeds

How GCHQ keeps tabs on FOI requestors

Are widely available IT docs really a 'national security' matter?

The Power of One Infographic

The handling of my FOIA request for an innocuous document provides evidence that the national security agencies will apply whatever exemption it can get it hands on, to be applied whenever it can, irrespective of the circumstances of the case. The mantra appears to be “if it can be kept secret, it will be kept secret”.

This is a worrying conclusion because the meaning of “national security” is expanding almost as fast as the universe. In the latest “Wikileaks” episode, the press were full of reports that a “snake venom facility” in Australia was a national security concern for the USA. Are we to assume, therefore, in the UK that “national security powers” could be applied to justify the processing of personal data in connection with the production of snake venom?

It is interesting to note that the Intelligence Services Act of 1994 provides the legal basis for GCHQ’s purpose associated with the provision of “bog standard”, declassified, IT security advice. This states that GCHQ’s role is to “to provide advice and assistance about ... the terminology used for technical matters, and cryptography and other matters relating to the protection of information and other material” to central government or any other organisation chosen by the Prime Minister.

That explains why “national security” now embraces “providing advice and assistance on the security of communications and electronic data...”, business continuity and resilience planning (eg against Acts of God) and delivering “information assurance policy services” to public bodies. In fact, all situations envisaged by the Civil Contingencies Act 2004 are arguably now matters of “national security”.

The inclusion of these areas such as IT security is an example of “national security function creep”. These wider dimensions add to that creeping which has already arisen in the area of policing, as both the Intelligence Services Act of 1994 and Security Service Act of 1996, extended the function of the national security agencies to additionally support “the activities of police forces and other law enforcement agencies in the prevention and detection of serious crime”.

So when these national security agencies process personal data to support the police, these agencies do not process personal data for a “crime purpose” (which is the obvious purpose when the processing is to assist the police in connection with serious crime) but rather for the “national security purpose”. This position was upheld by previous Home Secretaries in the previous administration (see here).

Why the difference? Well both exemptions are designed to protect the processing interests of the respective bodies, and they have successfully achieved this objective. For example, I have not heard the police arguing that the Data Protection Act stops them processing their criminal intelligence. However, the policing exemption in Section 29 of the Data Protection Act is fully subject to the Information Commissioner’s independent oversight, while the broader “national security purpose” in Section 28 is not. Hence the inevitable conclusion that the objective of morphing the “national security” purpose to include the “policing purpose” is to minimise and avoid independent supervision by the Commissioner.

I should add that this position cannot be effectively challenged, because Section 28 states that if a Minister signs a certificate that equates the “national security purpose” with the “policing purpose”, then that is the end of the matter.

The dilemma associated with balancing the national security purpose with individual privacy and transparency concerns is not a new issue. Back in 1979, the Lindop Report into Data Protection (Cmnd 7341, paras 23.21-23.24) stated that the national security agencies should be subject to a data protection Code of Practice that was independently supervised.

The report concluded that it was important to take the national security agencies out of their "hermetically sealed" environment in order to ensure that these agencies would be "open to the healthy – and often constructive – criticism and debate which assures for many other public servants that they will not stray beyond their allotted functions".

So I end this article by asking a basic question. Do you think that the national security agencies have “strayed”? Does an expanding definition of “national security”, supported by a lack of transparency and accountability, carry the risk of encouraging such “straying”?

Currently, the national security agencies effectively decide for themselves how far the “national security purpose” stretches. This risks increasing the “national security function creep” and establishing a position that is less and less accountable by the day.

In short, I think the time has come to urgently revisit how the exemptions in Data Protection Act and FOI Act should apply national security agencies.

References: See “Human Rights Legislation and Government Policy towards national security – 2006”, which explores data protection in the context of weak regulation, a lack of Parliamentary and judicial scrutiny, and the national security purpose, or click here .

This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.

HP ProLiant Gen8: Integrated lifecycle automation

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
UK government officially adopts Open Document Format
Microsoft insurgency fails, earns snarky remark from UK digital services head
Major problems beset UK ISP filth filters: But it's OK, nobody uses them
It's almost as though pr0n was actually rather popular
HP, Microsoft prove it again: Big Business doesn't create jobs
SMEs get lip service - what they need is dinner at the Club
ITC: Seagate and LSI can infringe Realtek patents because Realtek isn't in the US
Land of the (get off scot) free, when it's a foreign owner
MPs wave through Blighty's 'EMERGENCY' surveillance laws
Only 49 politcos voted against DRIP bill
Help yourself to anyone's photos FOR FREE, suggests UK.gov
Copyright law reforms will keep m'learned friends busy
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.