In the coming days politicians and security officials on both sides of the Atlantic are going to be forced to explain the revelations in the Guardian and other newspapers about PRISM. This program appears to have been set up to allow the US government access to personal data held by Google, Apple, Facebook and other tech companies.
It is also alleged that British intelligence agencies, most notably Government Communications Headquarters (GCHQ), may have used that access to gain information about UK targets.
Government ministers are likely to reassure us that whatever ‘does or does not’ exist complies fully with our existing legal framework. For that reason, they will say, we need not worry: no UK laws have been broken and the legal requirements set out in British law have been respected.
The problem is that even if they are right, it is not the breaking of laws that is most troubling in this area, but the absence of them.
The US and the UK, like most developed democracies, have legal frameworks that regulate the techniques governments can use to covertly collect personal data about their citizens and residents. But the laws in each of those countries principally apply to their own citizens. For historical reasons most governments still retain broad and almost wholly unregulated powers in relation to the surveillance of foreign persons / non-residents. US laws require the US government to obtain a warrant before collecting personal data about a schoolteacher in Arkansas. But the same is not true of foreigners: an office worker in Cardiff has no greater protection from the US government monitoring her data than an arms trader in Kandahar.
Decades ago this may have seemed understandable. The US and other governments needed to retain such powers for counter intelligence and to monitor foreign spies. The likelihood of ordinary citizens in the UK or elsewhere having their everyday communications subjected to surveillance by the US government was hard to imagine. But we live in a very different time. Most of us use Gmail, Facebook or similar internet services and, as a result, vast amounts of our private information are held on servers in the US.
This modern phenomenon creates two important loopholes.
The first loophole is that foreigners storing their personal data on US servers have neither the protection that their own domestic laws would give them from their own governments, nor the protection that US citizens have from the US government. In that legal vacuum, even tech companies that wish to object to US government requests for data about foreign users have limited options. And it is foreigners, potentially UK citizens in the UK, who are the targets of programs like PRISM. As CNN has reported, President Obama said on 7 June 2013 ‘[PRISM] does not apply to US citizens and it does not apply to people living in the United States’. Those of us outside the US may have found little comfort in that.
The second loophole is that once such data is in the hands of the US authorities, there is no clear legal framework that prevents it from being shared with UK authorities. The Security Service Act 1989 and the Intelligence Services Act 1994 place MI5, MI6 and GCHQ on a statutory basis, and permit those bodies to receive any information from foreign agencies in the ‘proper discharge’ of their statutory functions. Under that broad principle, UK agencies may receive and examine data from the US about UK citizens without having to comply with any of the legal requirements they would have to meet if the same agencies had tried to gather that information themselves. The Regulation of Investigatory Powers Act 2000 (RIPA) that sets out the framework within which GCHQ and others gather information about us, does not to apply if the information has already been gathered by a foreign agency, and is simply being handed over. There is little, if any, legal regulation or oversight in that situation.
In the wake of the revelations about PRISM, a new concern has emerged: Has our government deliberately manipulated these two loopholes and effectively circumvented RIPA and UK law by using the US authorities to access data about UK citizens?
But the real irony is that in a world of ‘common security interests’ there need not be any explicit ‘manipulation’ or deliberate ‘circumvention’ for this to occur. Of course, if the UK cynically asked others to do to its surveillance work for them, specifically to avoid UK law, this may well be unlawful. But they need not go that far, to achieve the same result. If the UK alerts the US authorities about UK citizens, who may be of interest ‘to the US’, the US authorities may then collect data about those UK citizens for ‘their own’ purposes. Any information the US authorities then obtain about those UK citizens may be freely and informally shared with the UK authorities at a later date. If, that process means that the UK authorities have gained information about UK citizens which may have been much harder to obtain if they had acted in accordance with RIPA and the UK legal framework, that is just a fortuitous side-effect of the unregulated, informal world of international intelligence sharing.
It is notable that when asked about this on BBC Radio 4’s Today programme, Sir Malcolm Rifkind, the Chairman of the Intelligence and Security Committee, appeared to accept a distinction between the UK security services specifically asking other authorities to collect data for them, as opposed to simply receiving such data after it had been gathered. Whether the security services themselves will seek to rely on that distinction to explain their actions should be one of the key issues addressed by the Foreign Secretary, William Hague, when he addresses Parliament later today.
As private citizens we expect to be reassured when our government tells us it is complying with the relevant laws. But that reassurance only works when those laws are themselves adequate to protect us. In this area, they are not.