2.24.
Even so-called “secondary data” can enable the tracing of contacts,
associations, habits and preferences. It has been said to encompass “location
data that can be used to track people’s movements, login passwords, and
website browsing histories”.70 Analysis of secondary data collected in bulk may
provide the critical information required to open the way to individual requests,
e.g. targeted interception or targeted EI. But secondary data also encompasses
the highly technical non-personal information that GCHQ told the Review was
crucial for them to understand global telecommunications infrastructure. That
includes, for example, information about protocols and server routing.
Safeguards on bulk interception
2.25.
The internal safeguards applicable to the retention, storage and destruction of
intercepted material and related communications data were examined in detail
by IOCCO in its report for 2013.71 The Commissioner’s findings included that:
(a) in relation to content, “indiscriminate retention for long periods of unselected
intercepted material (content) does not occur” (para 3.55); and
(b) in relation to communications data, that he remained to be satisfied that
some of the “variety of longer periods” for which it was retained could be
justified (para 3.56).
Major reviews of retention, storage and destruction procedures ensued, and all
33 of the specific recommendations made by the IOCC in 2013 and 2014 were
accepted.72
2.26.
The external safeguards in the Bill applicable to bulk interception warrants are
set out in the draft Code of Practice73 and summarised at paras 7.6-7.15 of the
Operational Case. In brief and non-exhaustive outline:
(a) Warrants must be signed and issued personally by the Secretary of State
(clause 132), with the approval of a Judicial Commissioner (clause 131).
Application must be made by an SIA Head (clause 129(1)).
(b) The Secretary of State (and the Judicial Commissioner in exercising his
function of review) must consider that the warrant is necessary in the
interests of national security (whether on its own or in conjunction with other
69
70
71
72
73
Clause 127(4).
Ryan Gallagher, The Intercept, 7 June 2016: “Facing data deluge, secret UK spying report
warned
of
intelligence
failure”:
https://theintercept.com/2016/06/07/mi5-gchq-digintsurveillance-data-deluge/.
2013 Annual Report of the Interception of Communications Commissioner, April 2014, 3.483.57.
2014 Report of the Interception of Communications Commissioner, March 2015, 6.60-6.65.
Interception of Communications draft Code of Practice, March 2016, chapter 9.
27