British spies read thousands of private messages sent over the internet every day in the hunt for terror suspects and other potential enemies, an unprecedented report into Britain’s snooping powers revealed today.
The intercepted data is just a tiny fraction of the information sent over the worldwide web, the report by a powerful group of MPs and peers said, as they set out for the first time details of the spying capabilities of GCHQ, MI5 and MI6.
The move is designed to make the work of the security and intelligence agencies more transparent following a backlash from privacy campaigners after the major leak by Edward Snowden in June 2013 of secret British and American intelligence-gathering techniques.
The intelligence and security committee recommended the creation of a single piece of legislation to cover all the powers given to GCHQ, MI5 and MI6 to keep Britain safe. This would include allowing them to continue to collect huge amounts of data in the hunt for terrorists – a capability the committee deemed to be necessary and proportionate.
The spy agencies also need this law, which is expected to be drafted after the election, to set out clearly the powers and the limitations they have when seeking to intercept and read or listen to individual emails, phone conversations and other forms of private communication, the committee said.
Advertisement
The recommendation, it said, was designed to strike a balance between the need to safeguard the powers of the agencies to protect Britain, while also demonstrating that individual privacy is not being needlessly violated.
A person’s private communications can only be spied upon following an express order granted by a government minister, the committee added.
Hazel Blears, a former Labour minister and member of the committee, said that the internet has transformed the way people communicate.
“This has led to a tension between the individual right to privacy and the collective right to security,” she said.
“This has been the focus of considerable debate over the past 18 months, and set the context for the committee’s inquiry into the range of intrusive capabilities used by MI5, MI6 and GCHQ.”
Advertisement
The spy agencies already have a range of intrusive powers which they use to generate leads, to discover threats, to identify those who are plotting in secret against the UK and to track those individuals.
Under a chapter about bulk interception, the report revealed that analysts at GCHQ examine only a “tiny fraction” of the billions of items that are sent over the internet on a daily basis.
Some of the most sensitive data and details are redacted for national security reasons.
“Our scrutiny of GCHQ’s bulk interception via different methods has shown that while they collect large numbers of items, these have been targeted in some way,” it said.
“Nevertheless it is unavoidable that some innocent communications may have been incidentally collected.”
Advertisement
The next stage in the process involves filtering the data collected to identify emails, messages and other forms of communication that is actually read by British spies.
“In practice this means that fewer than *** of *** per cent of the items that transit the internet in one day are ever selected to be read by a GCHQ analyst. These communications – which only amount to *** thousand items a day – are the only ones considered to be of the highest intelligence value.”
The report, added: “Only the communications of suspected criminals or national security targets are deliberately selected for examination.”
In a bid to improve transparency, which the committee said had been lacking in terms of public knowledge of the snooping powers given to MI5, MI6 and GCHQ, the report set out a review of the “full range of intrusive capabilities available”.
“Although some material has had to be redacted for the purpose of protecting national security, it nevertheless contains an unprecedented amount of information about those capabilities, and we have revealed the use of certain capabilities – such as Bulk Personal Datasets and Directions under the Telecommunications Act 1984 - for the first time,” Ms Blears said.
Advertisement
“The report represents a landmark in terms of the openness and transparency surrounding the agencies’ work.”
In terms of the findings of the 149-page report, entitled Privacy and Security: a modern and transparent legal framework, the committee found that Britain’s intelligence agencies did not seek to circumvent the law.
“However the legal framework is unnecessarily complicated and – crucially – lacks transparency,” the report said.
“Our key recommendation therefore is that all the current legislation governing the intrusive capabilities of the security and intelligence agencies be replaced by a sew, single act of parliament.”
The report found that GCHQ requires access to internet traffic through bulk interception primarily to uncover threats - whether that might be cybercriminals, nuclear weapons proliferators or Islamic State jihadists.
Advertisement
“They need to find patterns and associations, in order to generate initial leads. This is an essential first step before the agencies can then investigate those leads through targeted interception,” the committee said.
GCHQ’s bulk interception systems involve three stages of targeting, filtering and selection:
- First, choosing which communications links, or bearers, to access: GCHQ’s systems operate on a very small percentage of the bearers that make up the internet.
- Then, selecting which communications to collect from those links that are being accessed: GCHQ apply levels of filtering and selection such that only a fraction of the material on those bearers is collected.
- Finally, deciding which of the communications collected should be read: further targeted searches ensure that only those items believed to be of the highest intelligence value are ever presented for analysts to examine. Only a very tiny percentage of those collected are ever seen by human eyes.
“Given the extent of targeting and filtering involved, it is evident that while GCHQ’s bulk interception capability may involve large numbers of emails, it does not equate to blanket surveillance, nor does it equate to indiscriminate surveillance.”
The report found that GCHQ was not collecting or reading everyone’s emails. “They do not have the legal authority, the resources, or the technical capability to do so.”