online safety; and effective law enforcement concerning criminals who operate
online”.
5.38.
All the factors identified by Liberty have a role to play in cyber-defence. But
none of them, alone or in combination, was able to prevent the cyber-attack
described in A8/8, despite the fact that financial institutions had already identified
the threat posed by the sophisticated malware concerned. Analysis of bulk
interception data available to GCHQ was able to locate that malware on a
nationally important computer network.
No possible alternatives
5.39.
Some of the case studies demonstrated that no alternative method at all existed
of obtaining the necessary intelligence. A8/1 is such an example; faced with an
attack plot and no other leads to follow, the SIAs had to rely on bulk interception
of communications data to identify those involved. That case study also provides
an instance of the utility of different bulk powers in combination: in that case, bulk
interception and bulk acquisition of telephone data.
5.40.
A8/2 is an example of the use of pattern analysis to identify members of an
Islamist extremist cell who would not otherwise have been discovered. Although I
cannot publish further details of the operation, I am aware that a very real threat
of a mass casualty attack was averted.
5.41.
I am conscious that I have seen only a small sample of the SIAs’ work, and that
one cannot conclude on the basis of such a sample that alternative methods of
evidence-gathering would never be available or appropriate. There are
circumstances in which they certainly would.
However, some of the
disadvantages of other methods illustrated by the case studies (such as the risk
to human agents or the delay involved in asking overseas CSPs for assistance)
are evident. It does not seem to me that any alternative or combination of
alternatives would be sufficient to substitute for the bulk interception power.
Negative incidents and outcomes
5.42.
IOCCO is under a statutory duty to report to the Prime Minister any contravention
of the provisions of RIPA 2000, or any inadequate discharge of the safeguards
provided in its s15.208 A detailed account of interception errors (targeted and
bulk) is given in the IOCC’s regular published reports: in 2013 there were 57
errors and in 2014 there were 60.209 The great majority involved technical or
human error within interception agencies or CSPs, resulting for example in overcollection, unauthorised disclosure, incorrect dissemination, failure to cancel
208
209
RIPA 2000, ss58(2)(3).
Report of the IOCC, March 2015, 6.86.
88