Of mice, the NSA, GCHQ and data protection

There are some things we NEED to know about...

The Power of One Infographic

Comment Suppose you see a mouse in your house: is it likely to be the only mouse in your house? The relevance of the question will come apparent when we dig deeper into those infamous “black boxes” allegedly used by the USA’s National Security Agency1, the latest GCHQ mass interception fandango, and the responsibilities of the UK Information Commissioner.

With respect to the “black boxes”, I am surprised that no one has linked the latest machinations with the SWIFT (Society for Worldwide Interbank Financial Telecommunication)2 debacle back in 2006. In summary, a clearing house “data processor” in the US was required to provide “black box” access to USA national security authorities.

The banks in the UK, for instance - which are also data controllers - were kept totally in the dark about the scale of this backdoor access.

When the scandal broke, the Working Party of Data Protection Commissioners issued a strongly worded criticism2, which said that the “data processor” had assumed the mantle of “data controller”. UK banks were deemed to be disclosing personal data to another data controller and breaching the data protection rules, left right and centre.

It is not surprising therefore that the processing was eventually shifted to a data processor in Switzerland (which is deemed to have an adequate level of protection), unlike the US.

Given the current furore over “national security” and the bugging/tapping into the European Commission’s institutions, it is interesting to note the possible role of any national security agency. Are you really assuming that that the US bugged others but the Russians or Chinese did not try? And are the Europeans so innocent that they did not know this might happen?

So could the British bug these European institutions under current UK law? I don’t know, obviously, but you make your own mind up. The Intelligence Services Act 1994 defines the functions of the Intelligence Service to be exercisable only:

(a) in the interests of national security, with particular reference to the defence and foreign policies of Her Majesty’s Government in the United Kingdom; or
(b) in the interests of the economic well-being of the United Kingdom; or
(c) in support of the prevention or detection of serious crime”.

Note the last two conditions and ask yourself a few questions. Is it in the “interests of the economic well-being of the United Kingdom” or in support of “the prevention or detection of serious crime” to:

  • know what is happening to monetary policy in the Euro zone?
  • know UKIP’s policy towards how it would withdraw from the European Union?
  • identify serial child abusers who use child porn and chat sites?
  • identify political extremists who threaten violence in their email traffic?
  • know what Google’s policy towards its future global internet services?

And that is why I think that Edward Snowden is only confirming actions which, if one thinks about it, are to be expected. The only issue is not whether such surveillance occurs, but rather the authorisation and supervision of such surveillance as being a “necessary interference” in the context of Article 8 of the Human Rights Act (a subject that I have discussed before).

In this regard, the real problems are:

  1. The Courts already defer to the Home/Foreign Secretary on national security issues.
  2. The Courts are unlikely to challenge Article 8 interference and second guess national security issues because Article 8 is a qualified right.
  3. Both main Parties are considering fettering judicial discretion in national security cases.
  4. Scrutiny by Parliament of national security issues is currently limited.
  5. There are too many Commissioners in the national security protection business.
  6. The current complaints system concerning national security does not appear to be credible.
  7. There is uncertainty in the borders between policing and national security.

Notice also that all the data protection authorities huffed and puffed over SWIFT. There is an deafening silence when personal data are captured by similar black boxes, assuming they are attached to the servers of Facebook, Google and Microsoft etc (which these companies deny).

If GCHQ has intercepted vast amount of personal data, there should be a certificate under Section 28 of the DPA (as well as authorisation under RIPA). If one does not exist, then the ICO can exercise his powers until that Certificate is produced. For instance in the case SSHD v The Information Tribunal3, one department told the ICO that:

As you are aware, section 28 of the Data Protection Act limits the extent to which we are able to assist you in this case. We will obtain a Ministerial Certificate signed by the Home Secretary should we be required to do so, but would first like to provide you with as much information as we possibly can give the limits imposed on us by the Act.

So in other words, the ICO and in fact all of Europe’s Data Protection Commissioners should not remain so silent (all there appears to be is a one-page letter4 from the Working Party; see references). They can ask certain questions - and should do so to the limit of their powers. After all the allegations relate to disproportionate interception of personal data and processing that is not necessary for the statutory functions of certain bodies.

Note also that if SWIFT gets a black box, if Google, Microsoft, AOL, Skype etc are linked to other alleged “black boxes”, and the GCHQ intercepts by some “black box” all internet traffic leaving to UK, what will happen with all those cloud based services which involve USA companies and internet communications which leave the UK?

Should all such cloud using data controllers having seen reference to "black boxes" elsewhere assume that there are no black boxes are attached to their cloud communications? Or is it when you see a mouse in the house do you assume that there is only one mouse?


1 Slide show re the NSA interceptions

2 Article 29 Working Party report (PDF) on SWIFT

3SSHD v The Information Tribunal Neutral Citation Number: [2006] EWHC 2958 (Admin).

4 One-page letter from WP29 (PDF)

Relevant reference documents

Evidence: Human Rights Legislation and Government Policy towards national security – 2006. - Explores data protection in the context of Parliamentary scrutiny, data protection, human rights terrorism and national security Ebidence to the Joint Committee of Human Rights

Nine principles for assessing whether privacy is protected in a surveillance society (Part 1) (Part 2) – 2008. - The article sets out nine principles that rectify the problems identified by the UK’s inadequate regime and promotes specific Principles to improve the data protection/human rights regime. (Part 1 goes into why data protection and human rights regime in the UK is deficient.)

This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.

The Power of One Brief: Top reasons to choose HP BladeSystem

More from The Register

next story
Sit back down, Julian Assange™, you're not going anywhere just yet
Swedish court refuses to withdraw arrest warrant
UK Parliament rubber-stamps EMERGENCY data grab 'n' keep bill
Just 49 MPs oppose Drip's rushed timetable
MPs wave through Blighty's 'EMERGENCY' surveillance laws
Only 49 politcos voted against DRIP bill
EU's top data cops to meet Google, Microsoft et al over 'right to be forgotten'
Plan to hammer out 'coherent' guidelines. Good luck chaps!
Delaware pair nabbed for getting saucy atop Mexican eatery
Burrito meets soft taco in alleged rooftop romp outrage
British cops cuff 660 suspected paedophiles
Arrests people allegedly accessing child abuse images online
LightSquared backer sues FCC over spectrum shindy
Why, we might as well have been buying AIR
prev story


Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.