We know this isn't about PRISM, Matt Warman MP. But do you?

Evidence-based policy requires receiving evidence

IPB +Comment Former consumer technology editor at The Telegraph and current Conservative MP Matt Warman derailed an NSA whistleblower's attempt to deliver evidence on GCHQ spying, raising questions about the committee's competence to scrutinise the government's draft surveillance bill.

The MP offered distracting and irrelevant counter-statements to former NSA man Bill Binney during an oral evidence session last week before the Parliamentary committee scrutinising the draft Investigatory Powers Bill.

The Register understands that Binney may seek to resubmit his evidence after the committee's poor hearing.

Warman incorrectly stated that GCHQ's upstream data acquisition program (which he misidentified as PRISM) wasn't covered by the draft Investigatory Powers Bill, and that even if it was, he wrongly stated the program would be prevented by the draft legislation's "request filters".

In fact, the "request filters" are merely a method of holding data at the ISP level, while GCHQ's snooping is produced through fibre-level taps.

Delivering his oral evidence to the committee, Binney, a former technical director at the NSA, said the bulk acquisition of enormous datasets was not helping the work of intelligence analysts.

Speaking to The Register on the morning of his evidence session, Binney stated he wanted the security agencies to succeed in their mission of protecting us but that "mass data collection is making people dysfunctional".

"The point is to do a professional job and they're not doing that right now," Binney told The Register. The former TD suggested to us that the urgent actions of security services in the aftermath of atrocities showed what kind of efforts they should be engaged in all the time. He stated much the same thing to the committee: "Bulk collection means 'you don't know anything, so give me everything.'"

Spooking, smartly

Binney said a smarter approach would help shrink analysts' workloads by reducing the number of datasets they had to trawl through. Implementing some form of targeting at the interception level would create a richer environment for analysts rather than the diluted ocean of data provided by bulk acquisition practices, he said.

Matt Warman MP: Are you familiar with the request filter, as described in the bill?

Bill Binney: Yes. I think I am, but it's not the total bill. You're still advocating the bulk acquisition. I'm advocating stopping bulk acquisition.

Warman: But, very briefly, it seems to me that the request filter filters out the bulk data, it does exactly what you're asking it to do; are you saying that you don't understand that's what the request filter does, or that you're not familiar with the details of how the request filter would work?

Binney: Well, I think what I'm getting at is that bulk data is still stored, and accessible ...

Warman: [interrupting] Not to the Government, thanks to the request filter.

Binney: You mean at the ISPs. Well see, that's ... the committee I think needs to understand there's many different things going on here that add to this bulk acquisition. It's not just the ISPs.

The "request filters" have become something of a sticking point for the bill's proponents, who are keen to contradict criticism of their database creation by exploiting the word "filter".

This has not sat well with onlookers. The ISP Association stated that the "request filter effectively creates a single distributed database of communications data that is retained in the UK. This database not only allows for simple searches but also complex profiling queries. As such it is a very powerful tool that makes the complex analysis of communications data more easily achievable for public authorities".

Echoing this complaint about the fig-leaf nature of the term "filter" as used in the bill, Binney invited the committee to look at "some of the material that was exposed by Snowden, [which] shows clearly an upstream program".

GCHQ takes everything. Everything

Binney also tried to draw the committee's attention to how "the upstream program captures everything directly off the fibres as it's passed by" regardless of an eventual filter applied to searches of such material.

Binney: That's the bulk data acquisition that's available to GCHQ.

Warman: But that's not what's in this bill. That's not what we're talking about today. PRISM is different, fundamentally. This isn't a bill that proposes PRISM.

Binney: No, but I'm saying PRISM is a kind of analogy to the filtering...

As noted in paragraph 36(a) of the bill's Guide to Powers and Safeguards, data acquisition through bulk interception is currently provided for under RIPA. In his written evidence (PDF) to the committee, veteran investigative journalist Duncan Campbell asserted that GCHQ acquired data in bulk through "a small number of warrants issued under section 8(4) of RIPA".

Section 8(4) of the Regulation of Investigatory Powers Act falls within Part I, Chapter I of the legislation, which the draft bill is intended to replace: "The Bill will repeal and replace the existing interception powers in Part 1, Chapter 1 of RIPA with a new targeted interception power."

We're not introducing PRISM, insists MP

The Register asked Warman whether he had misspoken or misunderstood Binney's testimony. However, the MP did not seem to recognise any error, telling us:

I think if you look across the range of evidence sessions the joint committee has heard over the months, it's clear that all the members do understand the different provisions in the proposed legislation, and we've repeatedly heard that, as you say, this proposed legislation often simply replicates existing powers in a new act.

Setting the short exchange you mention in the broader context, I would hope it's clear that the point I was making was that the draft bill does not in some way set up a programme such as Prism, which was secret and did much to damage public trust in both government and technology companies, who seek to preserve the safety and privacy of their citizens and users.

In fact, what it would do is to make serious democratic and judicial oversight, which many argue Prism lacked, a key component of British law. That would be progress that everybody should welcome.

PRISM, of course, was/is an NSA program (and thus American, putting it outside Westminster's jurisdiction) and didn't come close to what the Home Secretary had intended to introduce with the Communications Data Bill.

Ironically, PRISM is very probably legally compliant and is a targeted program.

GCHQ maintains its own upstream data acquisition capability, which is called TEMPORA. This is GCHQ's full-take system (PDF) which contributes to the eavesdropping agency's "target discovery" mission, which Binney criticised for wasting analysts' time. It is part of the MASTERING THE INTERNET [sic] project, first disclosed by The Register four years before the Snowden revelations.

Warman responded to these details by stating:

[T]he point I was making was broader than the one you identify, namely that the Prism programme taken as a whole was not what we were talking about. I think it’s absurd to compare legislation that seeks to introduce much greater transparency and accountability for surveillance to Prism.

The MP did not respond to The Register any further. ®

Sponsored: Webcast: Why you need managed detection and response

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Biting the hand that feeds IT © 1998–2020