Intelligence sharing between the UK and the USA
1. Background
1.1 Integration of the agencies
Since the second world war, UK and US intelligence agencies have worked closely together to share intelligence . The Snowden leaks revealed that this co-operation and intelligence exchange was considerably more wide ranging than popularly understood. Britain’s GCHQ and America’s National Security Agency (NSA) are in effect operating as a single organisation. The sharing of intelligence is imprecisely regulated, resulting in loopholes and gaps in legal protections.
Extraordinary thought and effort has been made to integrate the operations of the two agencies. Staff in these two agencies regularly work alongside each other, jointly develop technical systems, targeting packages, and even have a joint staff prizes. Less thought appears to have been put into the development of public facing statutory rules to govern co-operation and to ensure that oversight bodies are as integrated as the agencies they are reviewing.
The UK intelligence agencies, including GCHQ, rely on a statutory scheme that allowed them to receive material from the US National Security Agency (NSA). The Investigatory Powers Tribunal (IPT) found this scheme to be historically unlawful in 2014. An investigation into the co-operation between NSA and GCHQ was launched by oversight bodies, but has not yet concluded its work. Every independent review into investigatory powers has recommended that the scheme for international co-operation and intelligence sharing should be set out clearly in law.
Despite this, the 2016 Investigatory Powers Act (IPA) failed to provide any clear statutory language to govern the practice of intelligence exchange and cooperation. Following Brexit, the UK’s relationship with the US has a new significance. This, coupled with the changing political climate in the United States, means it is more important than ever for intelligence sharing to be properly brought under the rule of law.
1.2 Calls for reform
Following the Snowden leaks, there were three independent reviews into investigatory powers (A Question of Trust, Privacy and Security and A Democratic Licence to Operate). All three found that the existing scheme under Regulation of Investigatory Powers Act (RIPA) was inadequate to govern intelligence co-operation and exchange. Each made recommendations to place the practice onto a firm statutory footing in any future legislation. However, when the draft Investigatory Powers Bill was published such a scheme was notably absent. The Intelligence and Security Committee (ISC) responded to the publication of the draft Bill by stating that “the proportion of intercept material obtained from international partners is such that it is not appropriate to exclude it from legislation which purports to cover interception” and recommended that “legislation must set out these arrangements more explicitly, defining the powers and constraints governing such exchanges.” The Government did not act on this recommendation.
1.3 Lack of oversight
A full review of raw intelligence sharing has never been completed by UK oversight bodies. The issue was partially probed by the ISC who set out in their Privacy and Security report the agencies’ position for the first time publicly. A more comprehensive investigation was initiated by the Interception of Communications Commissioner’s Office (IOCCO) into “arrangements in place within GCHQ for the sharing of intercepted material and related communications data with foreign partners.” In practice, the scope of this review might be limited, as IOCCO cannot compel the disclosure of material from the NSA, and the ‘third party doctrine’ might limit what GCHQ is able to make available to UK oversight agencies.1
2. Legal overview of intelligence co-operation
2.1 Sharing intelligence with other countries
The scheme regulating intelligence co-operation and exchange under RIPA remains only partially understood. General safeguards for UK agencies to share information they collect are found in s.15 of RIPA and are exercised at the discretion of the Secretary of State who must simply satisfy herself that any material shared will be subject to appropriate safeguards by the receiving foreign partner.2 What conditions need to be met, even for long standing partners like the NSA, have never been set out publicly, nor is it known if these conditions are ever reviewed or enforced.
2.2 Receiving intelligence from other countries
Prior to the IPT decision in Liberty/Privacy, the position around the receipt of material from foreign partners was not clear. Neither RIPA nor any Codes of Practice dealt with this issue, but in the course of the case, an internal policy statement was provided stating that data may be sought from foreign partners when “an interception warrant had been granted authorising the interception of those communications but they could not be obtained under that warrant and it would be necessary and proportionate to obtain those communications” or making the request does not “amount to a deliberate circumvention of RIPA”.3 This would include circumstances where it is not technically feasible to obtain that material under RIPA, and it is necessary and proportionate to gain access to it. For example, if UK intelligence are trying to obtain communications in France and for some reason is “not technically feasible to obtain the communications via RIPA interception”, British intelligence agencies might be able to accept a bulk feed of unanalysed data from the government of another country without even needing to obtain a warrant. Once collected, RIPA s.16 safeguards, such as those prohibiting searching for material referable for someone in the British Isles, would not apply, permitting unrestricted access to unwarranted material, which can be used without the usual protections.
Prior to the disclosure of that internal policy statement, the IPT ruled that the sharing of material was unlawful, as it had not been “in accordance with the law” as required by Article 8(2) of the European Convention on Human Rights which ensures that any infringements into privacy is done under a publically available, and foreseeable, legal framework. However, once the disclosure had been made the IPT felt the regime was sufficiently foreseeable, and thus was ruled lawful from the point of disclosure onwards.
Under the IPAct, the statutory scheme has not developed much further. It is not yet clear what new safeguards, if any, apply to material received from foreign partners, nor whether the internal policy based safeguards continue. Only one further safeguard was introduced into the IPA, which related to the sharing of material by UK intelligence agencies with foreign partners. This amendment extends the matters for which the Secretary of State must be satisfied to expressly mention that the “overseas authority has safeguards in place corresponding to those in the Bill in relation to the selection of data for examination”. Such safeguards include that the selection of material for examination must be carried out for specified purposes and be necessary and proportionate.
None of these amendments confront head on the practical reality of intelligence co-operation between GCHQ and the NSA. Questions about more complex forms of co-operation, including jointly developing and deploying collection systems, as well as jointly contributing to selection criteria have never been clarified in the schemes provided for under either RIPA or the IPAct.
3. Intelligence exchange in practice
The Snowden leaks showed that it is easy for analysts at NSA to access UK intercepted material. Once NSA staff undertake a UK Legalities training, they are automatically granted access to GCHQ TEMPORA systems. Other documents suggest that this Legalities training takes the form of a self-assessed “multiple-choice, open book test”.
For GCHQ to access NSA material, the system in practice is similarly relaxed. A leaked note from GCHQ’s operational legalities team, dated May 2008, permits GCHQ analysts to search through a database named DISHFIRE containing NSA bulk collected text messages. The memo explains how officers may “run a search of UK numbers in DISHFIRE in order to retrieve only events data,” and sets out how an analyst can prevent himself seeing the content of messages when he searches – by enabling a single setting on the search. Once this is done, the document continues, “this will now enable you to run a search without displaying the content of the SMS, especially useful for untargeted and unwarranted UK numbers.”
Intelligence exchange is not just about sharing intelligence but covers a range of other programmes, including the development of collection and analytic systems, and the development of exploits for use in hacking operations.
4. Recommendations
Attempts have been made by NGOs such as Privacy International to secure the release of the UK/USA arrangement governing signals intelligence exchange between GCHQ and the NSA.4 The lawfulness of aspects of the intelligence sharing regime are now before the Strasbourg courts.5 The Government must provide more information to reassure the public and parliament that this issue is not being ignored. As repeatedly recommended by David Anderson QC and the ISC, clear rules must be in statute and the existing interpretation and application of those rules needs to be made public as a matter of urgency.
The Government must:
- Make a public commitment to ensuring that there will be no substantial changes to surveillance procedures, including lowering of safeguards, due to intelligence sharing with the US and other key partners.
- Publish an overview of intelligence sharing between the GCHQ and NSA covering a) arrangements made under UK/USA for cooperation, b) how safeguards in RIPA and IPA have been interpreted to regulate the exchange of material, c) internal guidance that governs raw intelligence sharing in practice, d) policies governing technical integration of collection, exploitation and analytic systems ,
- Formally instruct the Investigatory Powers Commissioner under s.230 to undertake a full review of intelligence sharing between GCHQ and NSA, including legal, policy and technical integration, building on work IOCCO began in 2015, as well as the sharing and risk assessment practices surrounding use of exploits which may undermine the UK’s cyber security, and make the appropriate representations to help the Commissioner secure full co-operation from the United States.
- Commit to reform in this area, including implementing any recommendations made by the Investigatory Powers Commissioner.
- Initiate a process to declassify (in redacted form if required) the exchange of material that make up the UKUSA arrangement.
Footnotes
1 Third party doctrine, also known as the originator control principle, is the idea that material shared by one party to another should never be shared to a further third party without express permission of the originating agency.
2 David Anderson QC. (2015). A Question of Trust. at [S.6.87] “that the number of persons to whom data is disclosed and number of copies made are limited to the minimum that is necessary and the material is destroyed as long as there are no longer any grounds for retaining it.”
3 ibid [S.6.90]
4 Privacy International requested the arrangement under the Freedom of Information Act in 2014. The lawfulness of the response which refused to disclose any material on national security grounds is now before the Strasbourg courts.
5 See Big Brother Watch v United Kingdom and 10 Human Rights Org v United Kingdom.