Feeds

How GCHQ keeps tabs on FOI requestors

Are widely available IT docs really a 'national security' matter?

High performance access to file storage

The handling of my FOIA request for an innocuous document provides evidence that the national security agencies will apply whatever exemption it can get it hands on, to be applied whenever it can, irrespective of the circumstances of the case. The mantra appears to be “if it can be kept secret, it will be kept secret”.

This is a worrying conclusion because the meaning of “national security” is expanding almost as fast as the universe. In the latest “Wikileaks” episode, the press were full of reports that a “snake venom facility” in Australia was a national security concern for the USA. Are we to assume, therefore, in the UK that “national security powers” could be applied to justify the processing of personal data in connection with the production of snake venom?

It is interesting to note that the Intelligence Services Act of 1994 provides the legal basis for GCHQ’s purpose associated with the provision of “bog standard”, declassified, IT security advice. This states that GCHQ’s role is to “to provide advice and assistance about ... the terminology used for technical matters, and cryptography and other matters relating to the protection of information and other material” to central government or any other organisation chosen by the Prime Minister.

That explains why “national security” now embraces “providing advice and assistance on the security of communications and electronic data...”, business continuity and resilience planning (eg against Acts of God) and delivering “information assurance policy services” to public bodies. In fact, all situations envisaged by the Civil Contingencies Act 2004 are arguably now matters of “national security”.

The inclusion of these areas such as IT security is an example of “national security function creep”. These wider dimensions add to that creeping which has already arisen in the area of policing, as both the Intelligence Services Act of 1994 and Security Service Act of 1996, extended the function of the national security agencies to additionally support “the activities of police forces and other law enforcement agencies in the prevention and detection of serious crime”.

So when these national security agencies process personal data to support the police, these agencies do not process personal data for a “crime purpose” (which is the obvious purpose when the processing is to assist the police in connection with serious crime) but rather for the “national security purpose”. This position was upheld by previous Home Secretaries in the previous administration (see here).

Why the difference? Well both exemptions are designed to protect the processing interests of the respective bodies, and they have successfully achieved this objective. For example, I have not heard the police arguing that the Data Protection Act stops them processing their criminal intelligence. However, the policing exemption in Section 29 of the Data Protection Act is fully subject to the Information Commissioner’s independent oversight, while the broader “national security purpose” in Section 28 is not. Hence the inevitable conclusion that the objective of morphing the “national security” purpose to include the “policing purpose” is to minimise and avoid independent supervision by the Commissioner.

I should add that this position cannot be effectively challenged, because Section 28 states that if a Minister signs a certificate that equates the “national security purpose” with the “policing purpose”, then that is the end of the matter.

The dilemma associated with balancing the national security purpose with individual privacy and transparency concerns is not a new issue. Back in 1979, the Lindop Report into Data Protection (Cmnd 7341, paras 23.21-23.24) stated that the national security agencies should be subject to a data protection Code of Practice that was independently supervised.

The report concluded that it was important to take the national security agencies out of their "hermetically sealed" environment in order to ensure that these agencies would be "open to the healthy – and often constructive – criticism and debate which assures for many other public servants that they will not stray beyond their allotted functions".

So I end this article by asking a basic question. Do you think that the national security agencies have “strayed”? Does an expanding definition of “national security”, supported by a lack of transparency and accountability, carry the risk of encouraging such “straying”?

Currently, the national security agencies effectively decide for themselves how far the “national security purpose” stretches. This risks increasing the “national security function creep” and establishing a position that is less and less accountable by the day.

In short, I think the time has come to urgently revisit how the exemptions in Data Protection Act and FOI Act should apply national security agencies.

References: See “Human Rights Legislation and Government Policy towards national security – 2006”, which explores data protection in the context of weak regulation, a lack of Parliamentary and judicial scrutiny, and the national security purpose, or click here .

This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.

High performance access to file storage

More from The Register

next story
Android engineer: We DIDN'T copy Apple OR follow Samsung's orders
Veep testifies for Samsung during Apple patent trial
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Big Content goes after Kim Dotcom
Six studios sling sueballs at dead download destination
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Alphadex fires back at British Gas with overcharging allegation
Brit colo outfit says it paid for 347KVA, has been charged for 1940KVA
Jack the RIPA: Blighty cops ignore law, retain innocents' comms data
Prime minister: Nothing to see here, go about your business
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.