Shutterstock/bluebay. All rights reserved.Ask someone to describe how spies share information, and you get descriptions of manila envelopes being passed silently between men in trenchcoats. While no doubt this occasionally still happens, it does not reflect the modern-day industrial-scale exchange of raw communications intelligence, automatically synced between top secret servers hosted around the world that account for the overwhelming majority of intelligence exchanges.
The Snowden revelations brought the concerns about the lawfulness of such intelligence exchange onto the front pages of newspapers everywhere. With the introduction of the draft Investigatory Powers Bill, an opportunity to bring this hitherto shadowy practice under the rule of law, has so far been missed. It is vitally important that it isn't.
Extensive degree of sharing
Intelligence-sharing, like intelligence collection is not a new thing. Since there have been intelligence agencies collecting secret intelligence, information has been shared, exchanged and distributed between partners where their interests align.
Among close allies, such as the agencies of the United Kingdom, the United States, Canada, Australia and New Zealand who make up the Five Eyes intelligence alliance, such exchange of both raw and analysed material is at the centre of the partnership.
The original Five Eyes agreement, declassified in 2010, more than 60 years after its execution in 1946, suggests that all intelligence material is shared between Five Eyes States by default. The text stipulates that, "all raw traffic shall continue to be exchanged except in cases where one or the other party agrees to forgo its copy.”
While aspects of the arrangement will no doubt have changed over the years, the integration between agencies made possible with today’s technology means that intelligence-sharing has never been more intimate.
In a legal challenge brought to the lawfulness of this bulk intelligence-sharing by Privacy International, Liberty, and Amnesty International in 2013 the Director General of the Office for Security and Counter Terrorism, Charles Farr told the court that "an extensive degree of sharing" continues between the Five Eyes. He explains:
“It is highly unlikely that any government will be able to obtain all the intelligence it needs through its own activities. It is therefore vital for the UK government to be able to obtain intelligence from foreign governments both to improve its understanding of the threats that the UK faces, and to gain the knowledge needed to counter those threats. Indeed, the intelligence that a foreign government shares with the intelligence services (on a strictly confidential basis) represents a significant proportion of the intelligence services' total store of intelligence on serious and organised criminals, terrorists and others who may seek to harm UK national security. The store of intelligence forms a resource for the government in seeking to take preventative action to counter threats, and save lives.”
The changes in international threats have meant that new partnerships have formed since the creation of the Five Eyes. Slowly but surely, the relationship that began with the Five Eyes has expanded to other friendly agencies. Another club, known as SIGINT Seniors Europe also exists, made up of the Five Eyes, plus the addition of France, Germany, Spain, Italy, Belgium, the Netherlands, Denmark, Norway and Sweden. No public statement has ever been made by the UK government or its agencies about the nature of the relationship, or the rules that govern it.
The Government’s position is that the routine sharing of raw, unanalysed intercepted material is governed by “detailed internal guidance ... and by a culture of compliance”. But the detail behind the sharing taking place between friendly agencies is not visible in either statute, code of practice, public statement or policy.
To take just one integration effort of the Five Eyes, codenamed ICREACH, the program was designed to create a joint ‘Google-like’ search interface to share records about phone calls, emails, mobile phone locations, and internet chats. Originally built in 2007, the program launched with 850 billion records, with plans for one to two billion new records being added every day.
Concerns about games of jurisidictional arbitrage, where one agency can task another country to do its dirty work have been rife. Obfuscation as to how already complex rules governing intelligence collection apply when undertaking joint operations with foreign agencies, or when one agency reaps the benefit of a foreign agency’s work product, have made this area a hotbed of conspiracy. David Anderson, the independant reviewer of terrorism summarised current policy as:
"(a) No warrant is required to seek intelligence reports from overseas partners, though there are internal processes for verifying that the intelligence has been obtained in a manner compatible with the security and intelligence agencies’ obligations under UK law.
(b) GCHQ has in practice always had an interception warrant in place for any raw intercepted material that it has sought from its overseas partners, and additionally (but voluntarily) applies the RIPA safeguards to all its data irrespective of how and under what authorisation regime it has been acquired."
The failure to set out intelligence-sharing policy in statute, or publish in any form details of these arrangements, has not only been criticised, but also found unlawful by the Investigatory Powers Tribunal, who ruled in the complaint taken by Privacy International, Liberty and Amnesty International that intelligence-sharing prior to December 2014 was not in accordance with law.
Despite the judgement in the IPT, and the statements from David Anderson, concerns remain. Voluntary standards abided by in secret are no way to govern such intrusion. The internal policy that applies these voluntary standards are of course secret. Should agencies decide to change their policy to remove compliance with those standards, they could do so, and because the policies are secret, changes to them don't need to be approved by parliament. As a result neither parliament nor the public would ever find out about a reduction in standards.
Of course, that assumes that these voluntary standards have any meaning at all. The intelligence and security committee has confirmed that GCHQ operates the majority of their activities under broad class warrants. Indeed, it appears that GCHQ has just ten warrants, renewed every six months, governing most of their collection. If the voluntary arrangements just ensure that the billions of records that are shared with British intelligence agencies are viewed as simply falling under those ten warrants, then the effectiveness of the safeguard in the first place is questionable at best.
In weighing these concerns, the three reports undertaken to feed into reforms by David Anderson QC, the Intelligence and Security Committee, and the Royal United Services Institute all made recommendations to reform.
The Intelligence and Security Committee agreed that, "the safeguards that apply to the exchange of raw intercept material with international partners do not necessarily apply to other intelligence exchanges [...] we consider that future legislation must define this more explicitly and, as set out above, define the powers and constraints governing such exchanges.”
David Anderson agreed that any new legislation must include, "the parameters for sharing data and intelligence, including the conditions that must be met for intelligence to be shared, the entities with which intelligence may be shared and the safeguards that apply to exchanges of intelligence both domestically and internationally." He recommended that "The new law should define as clearly as possible the powers and safeguards governing: (a) the receipt of intercepted material and communications data from international partners; and (b) the sharing of intercepted material and communications data with international partners."
Finally, the Royal United Services Institute has said that, "There are very good reasons why the UK’s intelligence agencies share information with partner agencies in other countries. However, there is a reasonable expectation from the public that this data-sharing will be done in accordance with UK law. Currently, there is insufficient clarity over the powers and safeguards governing the exchange of data and intelligence between international partners.”
With the publication of the draft Investigatory Powers Bill, the Home Office had an opportunity to set out in statute, in clear terms, the rules of the road.
Setting the record straight - not
Of all the issues to tackle in the new draft Investigatory Powers Bill, you would be forgiven for thinking concerns about intelligence-sharing would soon become historic in nature, given it was a point highlighted by all three reform reports, and an issue the government lost on in the Investigatory Powers Tribunal. Instead, the draft Bill is oddly silent on the matter.
There is nothing in statute on the issue. Instead, there is only a reference in the schedules to the draft Bill that future codes of practice, "must cover arrangements for the disclosure and handling of intercepted material to overseas authorities."
Why has such an important issue been missed? Only the drafting team can answer that, but it seems that despite wanting to set a 'gold standard' some areas remain too sensitive to place under the rule of law.
In recent weeks, the Council of Europe Commissioner for Human Rights Nils Muiznieks added his voice to the issue, in publishing a seventy-eight page issue paper focused on oversight of security and intelligence services. Three reform reports weren't enough to overcome decades of institutional poor practice. Perhaps this fourth one will be the push the Home Office needs to get it right. Whatever the reason for not setting out an accountable, transparent set of reforms to raw intelligence-sharing, it should be remembered that in the era of post-Snowden national security whistleblowers, it is in everyone’s interest to correct this problem now.
This article is published in association with the Criminal Justice Centre at the Department of Law, Queen Mary University of London. The CJC’s members are drawn from both the legal profession and academia, researching the impact of securitisation on human rights. The Centre is one of the coordinating institutions of the European Criminal Academic Network.