Investigatory Powers Commissioner’s Annual Report 2019
10.28
This finding echoed a similar recommendation in the Intelligence and Security Committee’s
Privacy and Security: A modern and transparent legal framework25 report of March 2015.
We therefore conducted a review of our approach to inspecting bulk interception in 2019,
which included a careful review of the technically complex ways in which bulk interception
is actually implemented. As a result of this review, the findings of which have been agreed
with GCHQ, our inspections of bulk interception from 2020 onwards will include a detailed
examination of the selectors and search criteria alluded to above by the ECtHR. The exact
format of this inspection is yet to be agreed and like our other inspections will be the
subject of continuous review.
Operational purposes
10.29
GCHQ may only select for examination material obtained through bulk interception for one
or more of the operational purposes listed on the warrant. We are satisfied that GCHQ’s use
of operational purposes with respect to the examination of material obtained through bulk
interception is appropriate, including the addition through modification of an operational
purpose to correct an earlier omission.
The Equities Process
10.30
The Equities Process is the means through which decisions are taken on the handling of
vulnerabilities found in technology to achieve the best overall outcome in the interests of
the United Kingdom. In November 2018, GCHQ publicly avowed the Equities Process and
confirmed that IPCO would oversee how the process operates in practice, with the aim of
providing public reassurance.26 Whilst carrying out operational activity, analysts working at
GCHQ or elsewhere within government may identify vulnerabilities in technology. These
vulnerabilities may represent a risk to the security of the UK or its allies. In some cases,
the same vulnerabilities might provide a means by which UKIC could obtain intelligence
in pursuit of its statutory functions. The term “equity” in this context is used to refer to a
vulnerability known to GCHQ.
10.31
Under the Equities Process, GCHQ must decide whether a vulnerability should be disclosed
or kept secret. GCHQ applies objective criteria to decide whether a vulnerability should
be released to allow it to be mitigated or retained so that it can be used for operational
purposes. The starting position is always that disclosing a vulnerability will be in the
national interest.
10.32
The decision-making process involves:
• The Equities Technical Panel (ETP), made up of subject matter experts from across UKIC;
• The Equity Board (EB), which includes representatives from other Government agencies
and Departments as required. The EB Chair is a senior civil servant, usually drawn from
the National Cyber Security Centre (NCSC), and is answerable in this role to the Chief
Executive Officer (CEO) of the NCSC. We observed an EB meeting in 2019 and will be
observing at least one further meeting in 2020; and
• The Equities Oversight Committee (EOC), chaired by the CEO of the NCSC, which seeks to
ensure the Equities Process is working appropriately. The EOC may also consider equity
decisions that have been escalated to them by the EB.
25 Intelligence and Security Committee of Parliament, “Privacy and Security: A modern and transparent legal
framework” (2015), https://bit.ly/3nuFWWu
26 GCHQ, “The Equities Process” (November 2018), https://www.gchq.gov.uk/information/equities-process
67