UK gov publishes whitewash investigation into PRISM

The UK Intelligence and Security Committee has attempted to absolve UK authorities of any responsibility in the PRISM scandal and has published the results of an investigation into claims GCHQ along with the NSA violated UK law.

The investigation, headed by Sir Malcom Rifkind, only looked at PRISM and not the Tempora programme, which was specific to the UK intelligence services. Surprise, surprise, Rifkind doesn’t find any fault with the UK intelligence services’ conduct when it comes to working with US authorities and sharing data on UK citizens.

Rifkind says the most serious allegation against GCHQ is that the organisation acted illegally by accessing communications content via the PRISM programme. This accusation was

backed-up by the Guardian’s report on GCHQ’s involvement with PRISM and the culture of ‘don’t ask don’t tell’ with regards to intelligence information gleaned from the NSA’s activities.

Here are the key points on what Rifkind says about the validity of the accusations:

“It has been alleged that GCHQ circumvented UK law by using the NSA’s PRISM programme to access the content of private communications. From the evidence we have seen, we have concluded that this is unfounded.

We have reviewed the reports that GCHQ produced on the basis of intelligence sought from the US, and we are satisfied that they conformed with GCHQ’s statutory duties. The legal authority for this is contained in the Intelligence Services Act 1994.

Further, in each case where GCHQ sought information from the US, a warrant for interception, signed by a Minister, was already in place, in accordance with the legal safeguards contained in the Regulation of Investigatory Powers Act 2000."

Ignoring the bigger picture

Let’s take Rifkind’s arguments point by point. Number one: Yes there may be no direct evidence that GCHQ circumvented UK law by accessing private communications, but that misses the point of the accusations, which were that the NSA withheld how it obtained most of the communications data from the UK authorities (with GCHQ’s consent). It also specifies the “content” of communications and not the metadata surrounding the communications, which appeared to be PRISM’s main purpose and was what most of the accusations concerned.

Two: Rifkind reaffirms the statutory basis for PRISM in the 1994 Intelligence Services Act. This justification has already been torn down by others. Yes, maybe no laws have been broken. But how can surveillance legislation drafted in 1994 have any relevance to the internet era, where data mining is taking place on a scale that no one imagined two decades ago. The law clearly isn’t fit for purpose.

Three: Rifkind then invokes RIPA, which itself has been the subject of controversy, as it allows so many disparate agencies and authorities the ability to access communications data without a warrant. The government no long records the amount of communication requests made under RIPA, but last count – in 2009 – it stood at over 500,000 per year

Inadequate laws

However, the ISC’s report wasn’t a total whitewash. Rifkind does point out the confusion around the laws regarding surveillance in the UK. He admits the currently legal framework is a “complex interaction” between the Human Rights Act, the Intelligence Services Act and RIPA. All of this legislation is rather dated and doesn’t take into account the communications shift presented by the internet. This is also something Rifkind thankfully admits, saying:

“Although we have concluded that GCHQ has not circumvented or attempted to circumvent UK law, it is proper to consider further whether the current statutory framework governing access to private communications remains adequate."

If the Intelligence Services Committee is saying the current statutory framework governing access to private communications may be inadequate, then politicians should pay close attention.    

Comments icon
We invite you to discuss this post in our Reddit community or on Twitter. You can also send your feedback to
Tags: Privacy

Most people don't need a commercial VPN to work from home securely

Posted on April 7, 2020 by Nick Pestell

Many small businesses and their employees are concerned about the security of their data whilst working from home during the coronavirus pandemic. We see a lot of confusion surrounding this topic, even from fairly technical folk and there is unfortunately a lot of misinformation being spread by commercial VPN providers themselves.

You can't always get what you want: the eternal conflict between lawful access and privacy

Posted on April 19, 2018 by mirimir

In late March, the US Clarifying Lawful Overseas Use of Data Act (CLOUD Act) took effect. And predictably, the US Supreme Court just dismissed United States v. Microsoft Corp. In that case, Microsoft was fighting a subpoena for data stored in an Irish data center.

Protect yourself today and get peace of mind

Shut out hackers, identity thieves and the global government surveillance apparatus — every time you go online.