17 Jan 2014

Asking the right questions on surveillance, the NSA and your texts

News that the NSA is hoovering up 200m text messages a day, and giving GCHQ a back door into the information gathered, raises serious questions about observance of UK laws on surveillance.

But to get the right answers it’s important to be clear what we’re asking.17_gchq_g_w
Firstly, let’s distinguish between the content of text messages and the so-called metadata (what number the message was sent from and to, when and where).

In order to look at the actual content of texts, GCHQ staff must have a warrant signed by a secretary of state. There’s no suggestion that they’re disobeying that restriction, which is why Foreign Secretary William Hague was right when he told BBC Radio 4’s Today programme: “That system has not been breached”.

What we’re talking about here is the metadata.

If GCHQ wants to go to a phone company and request info on a particular number, it must get permission under the Regulation of Investigatory Powers Act, or RIPA, and this must be signed by a senior ranking staff member.

What the documents obtained by the Guardian and seen by Channel 4 News show is that GCHQ staff were accessing this kind of information through Dishfire, the database of international text info gathered and stored by the US National Security Agency.

The documents show that GCHQ staff were advised not to use Dishfire to look at the content of messages without a warrant – so they clearly had the desire to operate under the legislation. But no mention is made of getting RIPA permission before pulling off the meta-data – instead, staff were simply told “enter your numbers and off you go”.

So the key questions are: did GCHQ believe that it was able to access a foreign intelligence database for info on UK numbers without getting RIPA permission? Or does the agency have some kind of blanket RIPA permission which authorises access to any data on the Dishfire system?

It seems unlikely we’ll get clarification any time soon, but the answer to those questions cuts to the heart of whether RIPA is now sufficient to offer the kind of protection from state-level snooping that it was drafted to provide.

Follow @geoffwhite247 on Twitter