(b) EI creates potential security vulnerabilities or leaves users vulnerable to
further potentially grave damage.104
(c) Ministers lack sufficient understanding of the methods employed by GCHQ to
enable them properly to assess necessity and proportionality when
authorising warrants for EI.105
2.68.
Having considered a great deal of closed material, including extensive
disclosure, the IPT concluded that “the use of CNE by GCHQ has obviously
raised a number of serious questions”. Though it found no breach of the law in
its judgment of February 2016, and ruled that “in principle CNE is lawful”, it
added that:
“If information were obtained in bulk through the use of CNE, there might
be circumstances in which an individual complainant might be able to
mount a claim …”.106
Privacy International has sought to take the case further, by way of a claim for
judicial review before the Administrative Court in London and an application to the
European Court of Human Rights.
(4) Bulk Personal Datasets
Nature of BPDs
104
105
106
107
108
2.69.
The fourth and final power under review is the power of the SIAs to retain and
use BPDs under Part 7 of the Bill. The recognition by the SIAs of the value of
BPDs is said to date back to the early years of the century:107 but the power was
first disclosed in the 2015 ISC Report.108
2.70.
In the words of the Operational Case (10.1):
Ciaran Martin of GCHQ, in his first open witness statement of 16 November, paras 36-37,
denied that the system entitled GCHQ to conduct “mass” or “bulk” surveillance, and responded
that “a significant proportion of the examples given in the Claimants’ evidence with respect to
the possibilities created by CNE tools bear no relation to the reality of GCHQ’s activity and/or
would be unlawful having regard to the relevant statutory regime”.
Ciaran Martin, in his first witness statement of 16 November 2015, para 46, acknowledged that
“CNE activity could theoretically change the material on a computer”, but responded that it
would be neither necessary, proportionate nor operationally sensible for an organisation such
as GCHQ to make “more than minimal, and to the greatest extent possible, transient, changes
to targeted devices”:
Ciaran Martin, in his third witness statement of 24 November 2015, responded that GCHQ
“provide detailed information” and that “Ministers engage very significantly in the detail of the
authorisation process and scrutinise carefully the methods that are employed”.
Privacy International v Secretary of State for Foreign and Commonwealth Affairs and GCHQ
[2016] UKIPTrib 14_85-CH, para 89.
Statement of MI5 witness to the IPT in Privacy International v Secretary of State for Foreign
and Commonwealth Affairs and Others IPT/15/110/CH, paras 37-43.
2015 SIA Report, chapter 7.
41