PRISM, the NSA, Surveillance and the UK: Remaining unanswered questions for Parliament
What is PRISM?
PRISM is the name of a surveillance programme operated by the US National Security Agency, allowing them to gather people’s personal data (such as emails, documents and videos) from the biggest Internet companies. The US law upon which PRISM is built is the FISA Amendments Act of 2008, or FISAAA. Specifically, section 1881a creates a power to gather ‘foreign intelligence information’ from Internet companies relating to non-US citizens.
What does this have to do with the UK?
The powers under FISAAA are supposed to affect non-US citizens. That means UK citizens are in scope, and that the NSA have the powers to access their information held by the big Internet companies. It has also been revealed that GCHQ has some access to the information gathered through the PRISM programme. That means that GCHQ could gather UK citizens’ data under a different – and as yet unclear – legal framework. Further, GCHQ may be gathering and using non-UK citizens data under this system.
Expert lawyers assert that very little protection is afforded to UK citizens. [1] Worse, the USA denies any obligation to respect the privacy of foreign nationals, and under FISAAA permits surveillance of any non-US national for ‘foreign affairs’ purposes. This could, for instance, permit the surveillance of UK politicians, journalists or campaigners who criticise the USA. Previously, there has been concern at how NSA surveillance has benefited US-based firms bidding for large contracts. [2]
The unanswered questions
We believe that the Foreign Secretary has left at least four questions unanswered following his appearance in Parliament. In order to have a proper public debate about whether GCHQ are operating under the appropriate powers and legal framework, and whether UK citizens’ privacy rights are being respected, these questions need addressing. Underneath the questions below, we reproduce related questions from MPs and the Foreign Secretary’s replies. [3]
1. Does GCHQ request intercept data from the NSA related to British citizens without the Home Secretary issuing warrants?
In his answers to Julian Huppert and later David Davis, the Foreign Secretary said UK laws apply to data acquired from other countries including the US. The question of whether GCHQ is accessing intercept data from the US without a warrant from the Home Secretary is still outstanding. As Matthew Ryder QC and Simon McKay put it: “UK agencies may receive and examine data from the US about UK citizens without having to comply with any of the legal requirements they would have to meet if the same agencies had tried to gather that information themselves.” [4]
In Parliament: Dr Huppert: Many British people use the online tools affected by Prism and many British companies will have commercially sensitive data on there—many people in government as well. The Americans are partly protected, but what rules are there on the collection of British data by the NSA or the uses that those data can be put to after they have been collected?
Mr Hague: The House will understand that I cannot speculate about the content of any leak or what has been argued in newspapers over the past few days, but we do have our own clear legal framework—the Regulation of Investigatory Powers Act 2000, the Intelligence Services Act 1994 and the Human Rights Act 1998, all of which apply to data obtained by this country through co-operation with the US, just as they apply to any data we obtain ourselves. I think that people can be confident about that.
…
Mr Dominic Raab: If the UK is intercepting e-mails of British citizens, it requires a warrant from the Secretary of State, but that vital check is not in place when communications are received under Prism. Does the Foreign Secretary accept that Prism can be used quite legally to sidestep the level of safeguards that apply to UK-sourced intercept? How do we mitigate that risk?
Mr Hague: Again, I do not want anything that I say to be taken as a comment on information that has been leaked over the last few days, but the Intelligence and Security Committee will be able to study the issues raised by it, including the issues raised by my hon. Friend. That is the proper forum. I have already stressed the way in which ministerial and independent oversight applies to our relations with other intelligence agencies, including those in the United States, and my hon. Friend should therefore not jump to any conclusions about the absence of such oversight and authority.
2. Has the UK Government sought assurances from the US about how the NSA treat the privacy rights of UK citizens?
In Parliament: Mr David Davis: Has the Foreign Secretary made any representations to the American authorities about the protection of innocent British citizens’ privacy under their FISA laws?
Mr Hague: We apply our own laws. The United States decides its own laws and applies its own laws in the United States. We do so in the United Kingdom as well. That is the central point that I am making about this. All the Acts that we have passed in this Parliament relating to the gathering of intelligence are applied to data supplied from other countries. While I cannot give my right hon. Friend a specific answer about specific discussions, of course we regularly discuss with the United States the framework for these things to make sure, as best we can, that our values and our legal frameworks are upheld and that the strong emphasis on the privacy of the citizen is always there. As he will have seen in the statements of President Obama, the United States is very, very tough about that as well. When the UK and US both work together, each with a strong legal framework, the combined effect is a very strong and protective one.
3. When did the UK Government become aware of the PRISM, and the ability of GCHQ to receive some of the data acquired under FISAAA?
In Parliament: Mr Tom Watson: For clarity, will the Foreign Secretary tell us whether he was told how the NSA collects this information, and on what date he was made aware of the Prism project?
Mr Hague: I go back to what I have said about being unable to confirm or deny leaked information. I am not commenting at all on information that has appeared in the newspapers. There might be leaks in the future from who knows what agency, and I would take the same view in such circumstances. We cannot conduct ourselves in these matters by commenting on every leak that takes place. The Intelligence and Security Committee will be able to look at these questions, but I cannot tell the hon. Gentleman in public the answers to the questions that he is raising.
4. Do GCHQ apply any system of warrants and oversight for the collection of data from PRISM – or other FISAAA related programmes – about citizens of countries other than the UK and USA?
We do not know what system of oversight and warrants GCHQ apply to the gathering of data via PRISM of non UK citizens. Mr Hague said only in his statement that:
“Any data obtained by us from the United States involving UK nationals are subject to proper UK statutory controls and safeguards, including the relevant sections of the Intelligence Services Act, the Human Rights Act 1998, and the Regulation of Investigatory Powers Act.”