limited number of devices in respect of which more intrusive techniques could
then be deployed.
Safeguards on bulk EI
2.65.
Similar safeguards to those applicable to bulk interception (2.26 above) apply to
applications for bulk EI warrants and their authorisation, approval and
modification. Together with the safeguards that apply to the selection for
examination of content obtained under a bulk EI warrant, they are set out in the
Bill and expanded upon in the draft Code of Practice.102
2.66.
The operation of EI is subject to the oversight of the IsComm, and will be
overseen by the IPC once the Bill becomes law.
Criticism of bulk EI
2.67.
Though EI (then known as CNE) was only avowed in February 2015, the
Snowden documents had suggested that it was being practised some years
before that date, and many of the criticisms are based upon readings of those
documents. Summarising the criticisms made by Privacy International and other
groups in their challenge before the IPT, it was suggested that:
(a) The tools used by GCHQ allow vast quantities of historical and current
information to be extracted from large numbers of devices, subjecting users
to mass and intrusive surveillance. Eric King of Privacy International
claimed:
“CNE gives intelligence agencies access to the most personal and
sensitive information about an individual’s life – information which can
directly or indirectly reveal an individual’s location, age, gender,
marital status, finances, health details, ethnicity, sexual orientation,
education, family relationships, private communications and,
potentially, their most intimate thoughts. Furthermore, the logging of
keystrokes, tracking of locations, covert photography, and video
recording of the user and those around them enables intelligence
agencies to conduct real-time surveillance, while access to stored
data enables analysis of a user’s movements for a lengthy period prior
to the search”,
and described CNE as “the most powerful and intrusive capability GCHQ
possesses”. Examples followed of what malware can do against an individual
device and against a server or network.103
102
103
Clauses 162-180 of the Bill; March 2016 draft Code of Practice, sections 3 and 5. See also
Operational Case at 8.9-8.18.
Witness statement of Eric King of 5 October 2015, paras 10 and following:
https://www.privacyinternational.org/sites/default/files/Witness_Statement_Of_Eric_King.pdf. .
40