Privacy International has slammed the UK's spy agencies for failing to keep a proper paper trail over what data telcos were asked to provide under snooping laws, following its first ever cross-examination of a GCHQ witness.
The campaign group was granted the right to grill GCHQ's star witness after he made a series of errors in previous statements submitted to the Investigatory Powers Tribunal (IPT). The evidence was part of a long-running challenge over the spy agency's collection of bulk communications and personal data.
Although the witness's most recent errors related to submissions made at an October 2017 hearing about how much access IT contractors employed by GCHQ have to data, much of the cross-examination aimed to unpick GCHQ's role in choosing what information telcos hand over.
Under section 94 of the Telecommunications Act, communications service providers and public electronic communications networks can be asked to provide the UK's spy agencies with bulk communication data on users' phone and internet records.
The use of s94 directions only became public knowledge in 2015, when the government introduced its so-called Snooper's Charter and admitted that such collection had been going on since 1998. Privacy International launched a legal challenge against the government and, in 2016, the IPT ruled the activity illegal for the time it was carried out under wraps.
Since then, the tribunal has been ploughing through related issues arising from the case, as Privacy International pushes to uncover more detail about how the s94 directions work, with GCHQ providing much of its evidence through one key witness.
Witness X, as he is known – he has been granted anonymity and speaks from behind a screen – was the deputy director for mission policy at the Cheltenham-based agency for about three years up until last month.
Throughout the case, he has given evidence and submitted multiple statements on behalf of GCHQ to the tribunal. However, Witness X has had to amend his statements a number of times, and following the most recent correction Privacy International was granted permission to cross-examine him.
Court finds GCHQ and MI5 engaged in illegal bulk data collectionREAD MORE
During the two-hour hearing this week, Thomas de la Mare, acting for Privacy International, unpicked Witness X's statements in granular detail, pressing for precise explanations on how GCHQ worked with service providers, how providers were issued with demands for information and how detailed those requests were.
Central to the debate are the so-called trigger letters – the term used in court to describe notices sent to CSPs detailing the information they are asked to provide – that are sent out after the Secretary of State signs off on the s94 direction.
Much of the questioning was aimed at ascertaining how much power GCHQ has in setting these specifics. The government and spy agencies have repeatedly pointed to the fact the Secretary of State holds the power to OK s94 directions – indeed, this was listed as the first step in the process in a letter sent to the then commissioner of interception of communications, Sir Swinton Thomas, in 2004.
However, Privacy International believes these may be broad sign-offs, with GCHQ left to fill in the specifics.
During the hearing, Witness X accepted that his agency had been able to narrow the focus of the request for data, but that this would be "a technical narrowing, rather than substantive" and was to do with non-communications data.
But Camilla Graham-Wood, solicitor at Privacy International, said that Witness X's evidence "has further muddied the waters in relation to what exactly went on in relation to the secretive section 94 regime".
She said: "When the agencies first approached the Commissioner in 2004 for approval of this regime, the involvement of the Secretary of State was relied upon to justify these secretive practices, particularly given the absence of parliamentary scrutiny.
"However, what has transpired, is that the section 94 directions signed by the Secretary of State were overly broad, and in light of GCHQ's evidence, the decision to choose what data was to be provided by the telecommunications operators was effectively exercised by GCHQ, without the involvement of the Secretary of State."
Cosy gents club?
During the hearing, de la Mare also made much of the relationship between GCHQ and the CSPs, emphasising the closeness between the providers and GCHQ's "sensitive relationship team" – which acts as the sole point of call for the telcos.
De la Mare argued that the essence of the underlying agreement was "consensual" and that the s94 directions were simply a "cover" to "justify" what the companies had already been willingly volunteering for many years.
Witness X replied that the relationship was "cooperative", but took issue with the idea that using s94 was a cover or a justification – saying it was simply used to provide a legal basis for the transfer of information. He stressed that there wasn't a negotiation over the specifics of what the CSPs would provide.
"The willingness is high level – is it [the CSP] willing to provide data or not," he said – rather than that the provider being able to say they would provide this or that type of data.
He added that different PECNs might provide different data sets not because of what they had offered but because of the "nature of their business".
Elsewhere in the hearing, de la Mare produced a table – compiled using one of Witness X's previous statements – that set out the dates s94 direction were approved, the dates the corresponding trigger letters were sent and the level of detail these notices included.
Brit spooks 'kept oversight bodies in the dark' over data sharingREAD MORE
Counsel used this to demonstrate that, in six of the 12 sets of s94 directions identified between 1998 and 2016, the information requested listed general, rather than specific communications data.
And, despite Witness X's earlier evidence that trigger letters are always sent out immediately after the foreign secretary signs off on the s94 direction – in at least two cases there was a delay.
In addition, there were a number of cases where there was no record of a trigger letter having been sent. The witness put this down to the fact that the information was sometimes given by other means, especially to providers that don't have the capability to deal with classified materials.
However, this effectively means there is no written record of the specific data requested from the companies, which would arguably make it impossible for GCHQ cross-check and confirm it had received the correct information.
Graham-Wood said that such evidence raised questions over the relationship between GCHQ and the telcos.
"Where companies were so eager to hand over data about their customers, section 94 was required as a legal cover," she told The Register.
"The lack of a paper trail documenting what companies were asked to provide and reliance upon oral agreements strikes more of an old-school gentleman's agreement, despite it concerning highly sensitive personal data. This is clearly unacceptable." ®
Sponsored: Ransomware has gone nuclear