Privacy International, which has been engaged in legal challenges over GCHQ spying for the past few years, has obtained an oversight document as a result of its litigation. What they show is the agency’s broad hacking powers and the reluctance of its oversight to condone these actions.
The Commissioner of the Intelligence Services was slow to respond to hacking. Many of the concerns the Commissioner raised in his 2014 report [published July 2015] are the subject of PI’s legal complaint, including whether it is lawful to use broad “thematic warrants” to justify the hacking of people in the UK. The Commissioner questioned this practice in depth. He was concerned that current law “does not expressly allow for a class of authorisation”, and therefore the warrants were too broad. As a result, the Commissioner was worried that the Secretary of State was unable to properly assess whether the warrant authorised activity was necessary and proportionate. [ibid, p18] This means that GCHQ could get a warrant in the UK to hack the computer of everyone in Birmingham with little meaningful oversight.
Broad warrants at home — signed by someone who may not have had any idea exactly what they were authorizing. No warrants, for the most part, for extraterritorial hacking. Testimony on behalf of the GCHQ by its director of cyber-security points out that the Secretary of State (who handles surveillance warrants) is rarely consulted when the target is foreign. The only exceptions are if the GCHQ feels the target may be “sensitive” or “politically risky.” Otherwise, the GCHQ grants itself permission to carry out these attacks.
Two other agencies that write their own hacking orders (MI5 and the Secret Intelligence Service) also do what they can to eliminate whatever minimal paper trail these actions might generate.
The Intelligence and Security Committee Report in March 2015 called MI5’s and SIS’s failure to keep accurate records of their overseas hacking activities “unacceptable”, [ISC report, p.66] as it makes effective oversight impossible [Witness Statement of Ciaran Martin, 71L].
Arguably, the oversight was never “effective” to begin with. Privacy International’s Caroline Wilson Palow points out that Parliament was never notified in the first place by these agencies about their hacking activities. The oversight of three intelligence agencies is pretty much limited to one guy (Sir Mark Waller) who engages in spot checks of warrants periodically. With none of the agencies feeling any particular urge to seek warrants for overseas surveillance, it does cut down on Waller’s workload, but it doesn’t do much to ensure they aren’t abusing their (often) self-awarded privileges.