The security risks of the intelligence services employing IT contractors, in the light of the leaks by Edward Snowden, are no greater than employing permanent staff, the government told Britain’s most secret court this week.

James Eadie, representing the government, told the Investigatory Powers Tribunal that contractors were subject to the same access controls to IT systems, and had the same levels of vetting as intelligence service's employees.

Eadie was responding to arguments from Privacy International that there had been no adequate independent oversight of contractors working at the intelligence agency.

Several thousand contractors, employed by GCHQ’s industry partners work on GCHQ’s premises in Cheltenham and elsewhere, and use GCHQ IT equipment, according to evidence presented by GCHQ’s former director of mission policy.

Around 100 have systems administrator rights to IT systems containing highly sensitive data on individuals, held in bulk personal datasets.

“Our position is there is no material difference between employees and contractors,” Eadie told the court on the second day of a two-day hearing into the legality of GCHQ's use of bulk surveillance powers. “We don’t accept that there is a greater risk from contractors as a basic factual proposition.”

Reports by the Intelligence Services Commissioner in 2014 and 2015 showed that contractors at MI5 had committed serious breaches by making queries on data bases containing highly sensitive bulk data with no proper business justification.

What the law requires Section 9(1) to 2(a) of the Telecommunications Act 1984 requires the secretary of state to: Personally consult with the people affected by a section 94 order

Give either a general or a specific section 94 direction

But only if the secretary of state the conduct required by the direction is proportionate to its aims

MI5 had responded by writing to the companies that employed the contractors “stressing the gravity of the issue” and expressing their “displeasure at the situation”, said a report by the intelligence services commissioner.

Eadie told the court this was not a case of “bad man wanting to steal information” as Snowden had done. “The tail piece is that they [MI5] did then take did take effective action. It is not difficult to see how effective sanctions could be taken by a company that did not have sufficiently rigorous processes,” he said.

GCHQ disclosed during earlier hearings that it shared operational intelligence data with industry partners. They are able to access data either on GCHQ’s premises, or remotely from their own premises, or have data transferred to their premises by secure courier.

One of GCHQs most important partners is the University of Bristol, which runs the Heilbronn Institute for Mathematical Research with GCHQ, providing the intelligence agency with access to academic researchers with expertise mathematics and computational techniques.

Independent oversight Michael Burton, president of the Investigative Powers Tribunal, told the court that the Intelligence Services Commissioner, Mark Waller, who provided independent oversight over the intelligence agency had been aware of GCHQ’s use of contractors, but appeared not to have been told that GCHQ was sharing data with industry partners. Eadie told the court that as GCHQ’s data sharing was carried on a small scale, it would be wrong to draw any inference about the adequacy of Waller’s oversight of GCHQ. “The smaller the operation the less pressing it is for the commissioner to move in,” he said. He agreed however with a member of the IPT panel, Charles Flint QC, that if a small scale data sharing operationgave rise to a new and significant risk, that would be “something the commissioner ought to look at”. There had only been on example of GCHQ sharing a database containing non-sensitive bulk personal data, which had been accessed by fewer than 20 people since 2010. And there had only been one example of GCHQ sharing a database that might have contained bulk communications data, the government said in written evidence.

Sensitive Relationships Team Under Section 94 of the Telecommunications Act 1984, the secretary of state has powers to order telecommunications and internet companies to hand over data about their customers to the intelligence services. The foreign secretary signed off the first Section 94 direction in March 1988, which was implemented by a trigger letter few days later. By October 2016 the agency has issued 13 sets of directions to communications companies. An analysis of the Section 94 directions, by Privacy International showed that on every occasion until October 2016, the foreign secretary had issued a general direction for disclosure of data. In reality officials at GCHQ's Sensitive Relationships Team, were responsible for deciding what specific data to request from the communications companies and when to request it - a practice that Privacy International argues amounts to unlawful delegation under the Telecommunications Act 1984 and undermined the secretary of state’s independent oversight of the intelligence agency. Eadie told the court, that the secretary of state was entitled to set up a system that allowed GCHQ to the ability to decide what data it could demand from telephone and internet companies. “The secretary of state is and remains answerable to Parliament. The secretary of state did and does decide that it is proportional to issue instructions under this set up,” he said.

Unlawful data collection GHCQ replaced all of its operational section 94 directions in October 2016, after the Investigatory Powers Tribunal ruled that UK intelligence services had been unlawfully collecting bulk communications data for 17 years. The new directions were intended to give communications companies specific detail about the data GCHQ was seeking, while GCHQ’s submissions to the foreign secretary were also more specific about the data the intelligence agency was asking for, according to evidence from GCHQ’s witness x. Eadie told the court that if any of the s.94 directions before October 2016 were found to be unlawful, the changes “put the ship back on an even keel”. “From this point on the data is specified on the cover,” he said. “There is no question of unlawful delegation of any description. The secretary of state directs, the direction is precisely in line with the data requested. The foreign secretary authorised it to be disclosed immediately. There is no delegation of any substantive decision making.”

Astonishing if true Speaking on behalf of Privacy International, Ben Jaffey said the government’s claim that GCHQ recognises no difference between contractors and employees “was astonishing if true”. That view was not shared by the Intelligence Services Commissioner, Mark Waller, or the Investigatory Powers Commissioner, Adrian Fulford, he said. Waller recognised that employees and contractors were treated differently in a report in 2016. “I have recommended that MI5 should make it plain to secondees and contractors that they are subject to MI5 rules of conduct regarding access to data and ensure all people working on MI5 premises know the consequences of misuse. This also applies to the other agencies,” he wrote. The Investigatory Powers Commissioner’s Office (IPCO) began an investigation into the security arrangements for contractors working in the intelligence services last year. IPCO told Computer Weekly in February: “We recognise the importance of the need for reviewing the security arrangements for contractors which may have access to sensitive data, particularly given the recent leaks by contractors in other countries. We began work last year, and it’s going to be a focus for our inspection activity in 2018.”

No adequate oversight of GCHQ's use of algorithms and artificial intelligence Jaffey told the court there had been no adequate oversight by independent commissioners of GCHQ’s use of algorithms, machine learning and artificial intelligence, to automatically identify which intercepted communications were of intelligence interest. He urged the IPT to bring in a technical expert in a closed hearing to assess whether GCHQ's use of advanced technology was proportionate in law. He cited a review of bulk surveillance powers by the then independent reviewer of terrorism legislation, David Anderson, in 2016, which found it was important to ensure that “authorising and oversight bodies have the requisite technical knowledge not just of current technologies but of present and emerging trends.” Eadie, representing the government said it was not necessary for the independent commissioners or the tribunal to have access to technical experts to provide effective oversight GCHQ’s use of cutting edge technology. “The commissioners have all been sophisticated individuals, well used to querying until they understand a relevant system,” he said. “They are able to ask relevant questions.” It was not a good answer to suggest that because the new Investigatory Powers Commissioner’s Office, which took over responsibility for overseeing the intelligence services in September 2017, will be employing technical experts, that the previous oversight regime was inadequate, he said.