54
Investigatory Powers Commissioner’s Annual Report 2019
number of thematic warrants where the subject-matter of the warrant was problematic,
for example the subject matter being defined in terms of the activity it authorises, not
the activity for which the equipment is used, and another where some subjects did not
fully match the description of the subject matter in the warrant. We saw similar issues on
some Government Communications Headquarters’ (GCHQ) warrants and so highlighted
this to the Judicial Commissioners (JCs) to inform their consideration of thematic warrant
applications in future. This demonstrates how improved oversight can be derived from the
exchange of information between our Inspectorate and the JCs exercising prior approval
under the double lock.
Warrant management
9.17
Following the introduction of the IPA, SIS adopted a new electronic management system
for warrant applications. Transition to this system involved a manual migration of warrants
and all related documentation. We anticipate that this will enable SIS to develop a tighter
grip on the technical coverage in place under each warrant at any given time, ensuring that
subjects or associated factors do not remain on a warrant after it is no longer necessary.
We were concerned that the technical limitations of the new warrant management system
mean that SIS are still carrying a greater risk of errors than is advisable. We recommended
that SIS must implement robust processes to keep warrants under review and ensure that
warranted activity ceases when it is no longer necessary and proportionate.
9.18
To date, SIS has taken steps to improve oversight of activity taking place under each
authorisation, which goes some way to addressing our concerns. For example, in
conversation with SIS we identified that the new electronic management system does not
produce any documentation showing a clear link between the subjects of the warrant and
their associated factors. This increased the risk that when a subject was removed from a
warrant one or more of their factors remained on the warrant in error. SIS has developed a
capability to show the relationship between the subject and factor to enable them better
to manage their warrants; SIS now provides this information to support their warrant
applications as required.
Computer Misuse Act offences committed by agents
9.19
SIS reported an error whereby an agent had been tasked to conduct activity which might
constitute an offence under the Computer Misuse Act 1990 (CMA). As a result of this
error, SIS sought a new thematic TEI warrant to authorise any potential criminal liability
under the CMA in respect of agents obtaining data from computer systems. This will be in
addition to any required specific RIPA CHIS authorisation for activity in the UK. We agree
that it is appropriate for this activity, subject to the significant safeguards and restrictions
explained in the application, to be authorised under a thematic authorisation. However, we
will review reliance on this authorisation closely to ensure that any conduct which might
breach the CMA is necessary and appropriate, and that the activity of SIS’s CHIS in this area
is clearly recorded and properly overseen internally.
Testing and training warrants
9.20
Section 17(2)(c) of the IPA provides for agencies to obtain interception warrants for testing
and training purposes whilst sections 101(1)(g) and (h) provide for warrants for the testing,
maintenance and development of equipment interference capabilities and training in the
use of such capabilities. We are satisfied that SIS made appropriate use of IPA warrants to
authorise testing and training activities during 2019.