The ISC report on “Security and Privacy”: loose thoughts

A lot of activity this week around the ISC report on “Security and Privacy” a.k.a. the first time UK politics takes Snowden seriously (with the exception of some actions of the Home Affairs Committee).

Gave some comments to James Temperton of Wired which ended up in his piece “Minimal Oversight of GCHQ Hacking is a Scandal“.

Then I wrote up my thoughts specifically on the Bulk Personal Datasets described for the first time in this report – this appeared in The Conversation yesterday, reblogged by

I was contacted by Will Yong of Al Jazeera, would I be interested in coming to London to do an interview – even easier to say yes as I was travelling through anyway. Some discussion on Snowden media responses, metadata, and more, led to two comments broadcast on Listening Post on Saturday morning.

Having read through the whole report on the morning it came out, I tweeted some thoughts then and you will understand I read it through once more on the way to London! Collected loose thoughts on the topics not published on are below, includes some repeats from the initial tweets and more.

  • The “individual right to privacy and the collective right to security” already in the 2nd sentence. False dichotomy, and making privacy seem selfish.
  • in vii.a and ix. it talks about “an individual” – but the concept of a thematic 8.1 warrant means it’s wider than that.
  • xii. shows clearly the contradiction: communications data is a “critical capability”, so how can it be non-intrusive? It’s either full of information or it isn’t.
  • xviii. The IPT judgements are “noted” but they stated that GCHQ had acted unlawfully. How come the ISC does not wonder how this could happen on their watch, or how to prevent that happening in the future?
  • footnote 3: Hedging about it, but the idea that the dark web is much larger than the visible web confuses the deep web (i.e. not indexed by Google) and the dark web (i.e. accessible only through Tor).
  • 4. That encryption puts things “beyond the reach of the court” completely ignores RIPA Section 3, on forced disclosure of keys (& or else …)
  • 7. This is basic stuff for my computing ethics course. Electronic surveillance is intrinsically different from steaming open letters in a post office because it can be done on a large scale so much more easily. That’s computers for you!
  • 9. Given that IPT judged GCHQ actions unlawful twice, ISC might think twice about uncritically reporting their July 2013 “nothing to see here” conclusion.
  • 12. ISC were told everything – but nothing in the report corresponds to the Tempora “full take”.
  • Footnote 12: reports the HASC enquiry into police use of RIPA, but conveniently omits the government’s response to that which was extremely dismissive.
  • 21. I have listened to Paul Bernal, and he made a submission too, so I find it disappointing that they haven’t looked at other ECHR articles.
  • 31. Interesting that the extra powers regarding overseas Communication Services Providers as required in the DRIP emergency legislation are apparently felt to be unenforcable.
  • 39. An 8.1 warrant may not be used for data sent prior to the date of signing, footnote: In certain circumstances [redacted]
  • 42. Coming back to the ECHR point. “Thematic” is not defined in statute, but the Home Secretary or another Secretary of State decides how a person gets redefined as a group according to RIPA 81(1). Now if using that for “a high profile event attended by a large group of people” doesn’t have freedom of association impact!?
  • 45. Seems rather arbitrary to consider surveillance that is outside NTAC to be outside RIPA because of that.
  • M. “the point of view that it is acceptable to let some terrorist attacks happen in order to uphold the individual right to privacy” is a sick perversion:
    1. “let” assumes tolerance or even approval;
    2. “in order to” reverses the causality;
    3. (and anyway, it turned out later the quotes given here were taken out of the context, which was: we still don’t believe mass surveillance works, and you still haven’t given us the evidence to change our minds, so …)
  • 107. Note the confusion between “internal” and “external”. Facebook even between UK residents becomes “external” and then there’s a scramble to fix that later when it becomes clear as between UK residents. No plans to do the sensible thing and remove the distinction.
  • Footnote 88 seems to say that 8(4) warrants cause indirect discrimination against any ethnic minority, but that that is okay because terrorism.
  • 118. Caspar Bowden’s point: special rights for UK citizens outside the EU are illegal under ECHR, do they really not realise that?
  • 134.ii. An entire source of communications data is redacted out here. Is this the CD from Tempora full take then?
  • 134.iii. Related communications data from interception is getting retained at this point; I’m pretty sure I saw it getting deleted at a different point in the report.
  • 141. Confusion is caused by commentators using the term “metadata”!
  • 200. “The robustness of the application process means that any applications she receives will already have been rigorously tested, and she told the Committee that as a result she did not refuse many warrantry requests.” !
  • 257.i They really shouldn’t have redacted one of the two subsections on Deliberate interception of lawyer-client communications