(d) the use of CNE in such a way that it creates a particular security vulnerability
in software or hardware, in a device or on a network;
(e) the use of CNE in respect of numerous devices, servers or networks, without
having first identified any particular device or person as being of intelligence
interest (referred to as bulk CNE);
(f) the use of CNE to weaken software or hardware at its source, prior to its
deployment to users; and
(g) the obtaining of information for the purpose of maintaining or further
developing the SIAs’ CNE capabilities.99
In accordance with its usual practice, the IPT agreed to “make assumptions as to
the significant facts in favour of the Claimants” and so to proceed on the basis
that these practices could be assumed to be taking place, even though in many
cases they had been met with an NCND response.100
2.61.
The dividing line between large-scale targeted and bulk EI is not an exact one,
but as already noted (1.19 above), GCHQ has not to date conducted any
operations which would, under the Bill, be authorised by a bulk EI warrant.
Product of bulk EI
2.62.
A bulk EI warrant may (by clause 162(1)) authorise interference with any
equipment for the purpose of obtaining:
(a) communications (defined in clause 181);
(b) equipment data (defined in clause 163 in terms of systems data and
identifying data that meets certain qualifying conditions);101 and
(c) “any other information”.
2.63.
As previously noted, the main purpose of the warrant must be to obtain
overseas-related communications, information or equipment data (clause
162(1)(c)), as defined in clause 162(2)-(3), though it is acknowledged that other
material may well be obtained at the same time.
2.64.
99
100
101
It should not however be assumed that bulk EI will invariably recover content.
Indeed on the contrary, GCHQ told us that in the majority of cases the use of
bulk EI will be designed to return equipment data with a view to identifying a
Ibid., para 9. The limited extent to which those practices were avowed as actually taking place
is recorded in that paragraph by the IPT.
Ibid., para 2.
Compare the similar definition of secondary data in clause 128: 2.23(b) above.
39