IPBill An independent review into bulk surveillance powers in the forthcoming Investigatory Powers Bill has warned that there is no proven case to let British snoops hack the planet.

The study group examined the UK government’s Operational Case for Bulk Powers [PDF], which provided the government’s reasons for needing the most intrusive and wide-reaching surveillance powers. The review panel questioned whether the information obtained via those powers could be gained by other, less intrusive means.

Published this morning, the 204-page study [PDF] found that bulk surveillance powers are indeed needed and are already in wide use by the security and intelligence agencies — but it warned that there was not yet a proven operational case for “bulk equipment interference.”

The power for the intelligence agencies to conduct enormous hacking campaigns has long been seen as one of the most controversial abilities the UK gives its spooks. The former terrorism legislation review, David Anderson QC, has advocated that “very considerable caution” over the power is needed, especially because of its ability particularly “when used at scale, to cause, even inadvertently … lasting harm to networks and to devices.”

His warning comes on the heels of a public auction of NSA hacking tools, many of which had been present in security gear for years.

As such, Anderson makes what he calls “a single, major, recommendation: that the Investigatory Powers Bill be amended to provide for a Technical Advisory Panel of security-cleared independent academics and industry experts to be appointed by the IPC ‘to advise the IPC and the Secretary of State on the impact of changing technology on the exercise of investigatory powers and on the availability of techniques to use those powers while minimising interference with privacy’.”

Bulk interception

The first power examined, the bulk interception of communications is only exercised by GCHQ. It “can be dated back to the interception of messages carried on the international cable system during the First World War,” according to Anderson, who noted that “it is claimed that bulk access to that commercially operated system enabled the collection of the Zimmerman telegram, the final trigger for US entry into the First World War, and detected attempts to evade the UK’s economic blockade of Germany.”

Principally focused on “overseas-related communications”, bulk collection is a process which involves three stages: collecting; filtering; and selection for examination.

Collection involves GCHQ selecting which communication links to access “based on an assessment of the likely intelligence value of the communications they are carrying. GCHQ does not have the capacity, or legal authority, to access every [communication link] in the world.” Instead GCHQ reportedly “focuses its resources on those links that it assesses will be the most valuable.”

Filtering is applied to the traffic passing through these communications links, which is “designed to select communications of potential intelligence value while discarding those least likely to be of intelligence value. As a result of this filtering stage, the processing systems automatically discard a significant proportion of the communications on the targeted bearers.”

Selection for examination means applying simple and complex queries to the bulk intercepted communications. “Examples of a simple query are searches against a “strong selector” such as a telephone number or email address”, while complex queries would “combine a number of criteria, which may include weaker selectors but which in combination aim to reduce the odds of a false positive.”

The review had no mandate to examine the proportionality of these processes, but only whether the bulk power was, at its most basic level, useful. It found that “just under half of all GCHQ intelligence reporting is based on data obtained under bulk interception warrants” but was unable to give any more detail, as to do so “would damage national security by revealing too much about GCHQ’s capabilities.”

Having inspected a good number of intelligence reports and internal documents [which are specified in the report], I have no doubt that the bulk interception power continues to be used productively and on a large scale by GCHQ.

Anderson found that the power “has proven itself to be of vital utility across the range of GCHQ’s operational areas, including counter-terrorism in the UK and abroad, cyber-defence, child sexual exploitation, organised crime and the support of military operations.”

He states however that the “trend towards universal encryption and the anonymisation of devices may be making the bulk interception power into a (gently) diminishing asset.”

Bulk Acquisition

Bulk acquisition, which is currently practiced in secret under warrants issued in accordance with section 94 of the Telecommunications Act 1984, is being explicitly codified in statute for the first time by the Investigatory Powers Bill. Unlike bulk interception, acquisition is not required to be focused on international communications, but rather has involved the domestic collection of communications in the UK.

In simple terms bulk acquisition is the domestic version of the bulk interception power. Both allow for communications to be captured by the State, but additional protections are provided for domestic communications traffic.

Prime Minister Theresa May made it public last November that, since the turn of the millennium, secretaries of state have been issuing secret directions under section 94, without any judicial authorisation, to acquire domestic communications. The first glimpse of oversight these received was published in a report by the Interception of Communications Commissioner’s Office (IOCCO) last week, which revealed that at least 23 directions were currently in effect on national security grounds.

Under the Investigatory Powers Bill, section 94 of the Telecommunications Act will be repealed, but secretaries of state will have the new power to issue national security and technical capability notices to much the same effect. Section 94, as Earl Howe admitted in a debate in the House of Lords earlier this year, “has been used for a range of purposes, including for the acquisition of communications data in bulk.”

Anderson regretted that his report was “unable openly to describe” the categories of communications data and the specific purposes that the data collection under bulk acquisition currently serves, but adds that “it can safely be said however that:”

a) the existing power and the power in Part 6 Chapter 2 of the Bill both enable the SIAs [Security and Intelligence Agencies] to obtain large amounts of communications data, most of it relating to individuals who are unlikely to be of any intelligence interest; but that (b) content cannot be obtained under either power, and it is not currently envisaged that the bulk acquisition power in the Bill will be used to obtain internet connection records.

Anderson stated that bulk acquisition “has been demonstrated to be crucial in a variety of fields, including counter-terrorism, counter-espionage and counter-proliferation”, as per the findings of oversight bodies. He noted that the changes in this area — potentially including the filtering arrangements provided by the Investigatory Powers Bill’s new “Request Filter” — meant that the bodies’ conclusions could not be guaranteed for the future.

Bulk personal datasets

Bulk personal datasets include the passport register, the electoral register, the telephone directory and data about individuals with access to firearms. These are acquired through both overt and covert channels

Anderson had “no hesitation in concluding that BPDs are of great utility” adding that “in some areas, particularly pattern analysis and anomaly detection, no practicable alternative to the use of BPDs exists. These areas of work are vital, since they can provide information about a threat in the absence of any other intelligence seed.”

Bulk equipment interference

Equipment interference (EI) is the term used to refer to the State’s aggressive hacking activities. These were previously covered by the phrase “computer network exploitation” and involved everything from “the implantation of software into endpoint devices or network infrastructure to retrieve intelligence” to “copying data directly from a computer.”

It it seen as the primary means to address the spooks’ difficulties in accessing information which is protected by encryption, especially that “rendered impossible or very difficult to intercept by end-to-end encryption.”

When targeted these hacking powers may be sought by the head of one of the security and intelligence agencies, but also by the chief of defence intelligence or by the chief constable of a police force. “There is no requirement for a link o the interests of national security: it is enough that the warrant be necesary for the purpose of preventing or detecting serious crime, or (in comes cases) preventing or mitigating death, injury or damage to a person’s physical or mental health.”

Bulk powers, on the contrary, may only be sought by the spooks, and must be necessary in the interests of national security, and a foreign focus is required. However the distinction between what is bulk and what is targeted is tightly contested.

“Thematic” warrants for EI are considered targeted, and yet as Anderson noted they may be “very broad in their scope: they may relate for example to ‘equipment in a particular location’, ‘equipment in more than one location, where the interference is for the purpose of a single investigation or operation’ and ‘equipment which is being, or may be, used for the purposes of a particular activity or activities of a particular description’.”

Thematic warrants for bulk hacking can take place “at scale” as the government has expressly acknowledged, which might cover a large geographic area or involve the collection of a large volume of data. Anderson has warned that thematic warrants may therefore be used to dodge the more stringent requirements placed on bulk hacking warrants.

According to Anderson, “the bulk EI power is unlike all the others, in that (though the dividing line between bulk and thematic is not always very clear) it has never been used.”

As a rapidly developing alternative to bulk interception, however, Anderson believes an operational case for its use has been made out in principle, but advocates “very considerable caution” especially because of its ability “particular when used at scale, to cause, even inadvertently … lasting harm to networks and to devices.”