The UK’s intelligence agencies may soon get their hacking powers on a stronger legal footing. But a new report questions why certain warrants designed to hack multiple computers at once are even necessary, when their more targeted equivalents are arguably just as broad.
On Tuesday, the UK's Intelligence and Security Committee of Parliament published its report on the draft Investigatory Powers Bill, a proposed piece of surveillance legislation. The Committee was told that so-called “targeted” hacking warrants were so broad, that they could be used to gather information on an entire foreign intelligence agency, raising concerns about what “bulk” warrants are designed for.
If passed into law, the bill will force internet service providers to store the browsing history of their customers for 12 months. It will also update how some of the intelligence agencies' use of “equipment interference” (EI)—the UK government's term for hacking—is handled, and introduce the idea of “targeted” and “bulk” EI warrants.
"It is possible that bulk activity might capture data and information about UK persons"
At the moment, equipment interference for the intelligence agencies is governed under the Intelligence Services Act 1994, but the draft Bill is the first time that hacking warrants are being separated into Targeted and Bulk variants.
Only security and intelligence agencies would be able to apply for a bulk EI warrant, not law enforcement, and they could only be used to intentionally target systems abroad, according to a government-issued fact sheet.
“Bulk EI facilitates target discovery, it helps to join up the dots between fragments of information that may be of intelligence interest,” the fact sheet continues, keeping its description of the power incredibly vague. “It is possible that bulk activity might capture data and information about UK persons, for instance if they are associated with a subject of interest.”
But the Intelligence and Security Committee—a body of the government tasked with examining the policy, administration and finances of the UK's intelligence agencies—is concerned that bulk EI warrants are largely superfluous, because targeted warrants are already exceptionally wide in scope.
“Despite the name, a Targeted EI warrant is not limited to an individual piece of equipment, but can relate to all equipment where there is a common link between multiple people, locations or organisations,” the report from the Committee reads.
Robert Hannigan, the director for GCHQ, told the Committee that, hypothetically, a targeted EI warrant could encompass an entire hostile foreign intelligence service.
“It is therefore unclear what a 'bulk' EI warrant is intended to cover, and how it differs from a 'targeted' EI warrant,” the report continues.
Indeed, Hannigan conceded that “the dividing line between a large-scale targeted EI and bulk is not an exact one.” This evidence was provided in an oral session to the Committee in November 26, 2015, but the transcript is not public.
The Committee writes that the intelligence agencies appeared to suggest that the provision for a bulk EI warrant may be desired for “future-proofing,” but no specific examples of what such a warrant might cover were provided by the agencies, despite the very broad and intrusive powers they would provide.
“The Committee is therefore not convinced as to the requirement for [bulk warrants],” the report reads.