Of mice, the NSA, GCHQ and data protection
There are some things we NEED to know about...
Comment Suppose you see a mouse in your house: is it likely to be the only mouse in your house? The relevance of the question will come apparent when we dig deeper into those infamous “black boxes” allegedly used by the USA’s National Security Agency1, the latest GCHQ mass interception fandango, and the responsibilities of the UK Information Commissioner.
With respect to the “black boxes”, I am surprised that no one has linked the latest machinations with the SWIFT (Society for Worldwide Interbank Financial Telecommunication)2 debacle back in 2006. In summary, a clearing house “data processor” in the US was required to provide “black box” access to USA national security authorities.
The banks in the UK, for instance - which are also data controllers - were kept totally in the dark about the scale of this backdoor access.
When the scandal broke, the Working Party of Data Protection Commissioners issued a strongly worded criticism2, which said that the “data processor” had assumed the mantle of “data controller”. UK banks were deemed to be disclosing personal data to another data controller and breaching the data protection rules, left right and centre.
It is not surprising therefore that the processing was eventually shifted to a data processor in Switzerland (which is deemed to have an adequate level of protection), unlike the US.
Given the current furore over “national security” and the bugging/tapping into the European Commission’s institutions, it is interesting to note the possible role of any national security agency. Are you really assuming that that the US bugged others but the Russians or Chinese did not try? And are the Europeans so innocent that they did not know this might happen?
So could the British bug these European institutions under current UK law? I don’t know, obviously, but you make your own mind up. The Intelligence Services Act 1994 defines the functions of the Intelligence Service to be exercisable only:
(a) in the interests of national security, with particular reference to the defence and foreign policies of Her Majesty’s Government in the United Kingdom; or
(b) in the interests of the economic well-being of the United Kingdom; or
(c) in support of the prevention or detection of serious crime”.
Note the last two conditions and ask yourself a few questions. Is it in the “interests of the economic well-being of the United Kingdom” or in support of “the prevention or detection of serious crime” to:
- know what is happening to monetary policy in the Euro zone?
- know UKIP’s policy towards how it would withdraw from the European Union?
- identify serial child abusers who use child porn and chat sites?
- identify political extremists who threaten violence in their email traffic?
- know what Google’s policy towards its future global internet services?
And that is why I think that Edward Snowden is only confirming actions which, if one thinks about it, are to be expected. The only issue is not whether such surveillance occurs, but rather the authorisation and supervision of such surveillance as being a “necessary interference” in the context of Article 8 of the Human Rights Act (a subject that I have discussed before).
In this regard, the real problems are:
- The Courts already defer to the Home/Foreign Secretary on national security issues.
- The Courts are unlikely to challenge Article 8 interference and second guess national security issues because Article 8 is a qualified right.
- Both main Parties are considering fettering judicial discretion in national security cases.
- Scrutiny by Parliament of national security issues is currently limited.
- There are too many Commissioners in the national security protection business.
- The current complaints system concerning national security does not appear to be credible.
- There is uncertainty in the borders between policing and national security.
Notice also that all the data protection authorities huffed and puffed over SWIFT. There is an deafening silence when personal data are captured by similar black boxes, assuming they are attached to the servers of Facebook, Google and Microsoft etc (which these companies deny).
If GCHQ has intercepted vast amount of personal data, there should be a certificate under Section 28 of the DPA (as well as authorisation under RIPA). If one does not exist, then the ICO can exercise his powers until that Certificate is produced. For instance in the case SSHD v The Information Tribunal3, one department told the ICO that:
As you are aware, section 28 of the Data Protection Act limits the extent to which we are able to assist you in this case. We will obtain a Ministerial Certificate signed by the Home Secretary should we be required to do so, but would first like to provide you with as much information as we possibly can give the limits imposed on us by the Act.
So in other words, the ICO and in fact all of Europe’s Data Protection Commissioners should not remain so silent (all there appears to be is a one-page letter4 from the Working Party; see references). They can ask certain questions - and should do so to the limit of their powers. After all the allegations relate to disproportionate interception of personal data and processing that is not necessary for the statutory functions of certain bodies.
Note also that if SWIFT gets a black box, if Google, Microsoft, AOL, Skype etc are linked to other alleged “black boxes”, and the GCHQ intercepts by some “black box” all internet traffic leaving to UK, what will happen with all those cloud based services which involve USA companies and internet communications which leave the UK?
Should all such cloud using data controllers having seen reference to "black boxes" elsewhere assume that there are no black boxes are attached to their cloud communications? Or is it when you see a mouse in the house do you assume that there is only one mouse?
2 Article 29 Working Party report (PDF) on SWIFT
3SSHD v The Information Tribunal Neutral Citation Number:  EWHC 2958 (Admin).
4 One-page letter from WP29 (PDF)
Relevant reference documents
Evidence: Human Rights Legislation and Government Policy towards national security – 2006. - Explores data protection in the context of Parliamentary scrutiny, data protection, human rights terrorism and national security Ebidence to the Joint Committee of Human Rights
Nine principles for assessing whether privacy is protected in a surveillance society (Part 1) (Part 2) – 2008. - The article sets out nine principles that rectify the problems identified by the UK’s inadequate regime and promotes specific Principles to improve the data protection/human rights regime. (Part 1 goes into why data protection and human rights regime in the UK is deficient.)
This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.
Sponsored: Network DDoS protection