News from the U.K.: the outcome of the Independent Bulk Powers Review is now available here (.pdf, August 2016; mirror). Media reports about the review are available for instance at FT and The Guardian. The review was carried out by David Anderson QC and elaborates on the four bulk powers laid down for MI5, MI6 and GCHQ in the Draft Investigatory Powers Bill (November 2015). That bill is now up for debate in the lower house. In Q1/2016, following the advice of a Joint Committee, the U.K. government provided (further) justification for the new bulk powers proposes in the draft bill; it is available here (.pdf, Q1/2016; mirror). The four bulk powers included in the draft bill are bulk interception, bulk acquisition, bulk equipment interference and bulk personal datasets. TL;DR: the review concludes that there is a proven operational case for bulk interception, bulk acquisition and bulk personal datasets, and a “distinct (though not yet proven)” operational case for bulk equipment interference. No conclusions are made about proportionality or desirability of the powers; that is left as a matter for the U.K. parliament to decide. For my own purposes — related to understanding the draft Dutch bill of which the Dutch government will soon submit the final draft to the Dutch lower house and that also includes new and expanded powers for the Dutch intelligence services AIVD and MIVD related to bulk interception, bulk acquisition and bulk personal datasets (but not bulk equipment interference, at least not in the initial draft of the bill) — I quote the executive summary from the British Independent Bulk Powers Review below.
- This Report evaluates the operational case for four of the powers in the Investigatory Powers Bill currently before Parliament: bulk interception, bulk acquisition, bulk equipment interference and bulk personal datasets. These powers can be used only by MI5, MI6 and GCHQ.
- It provides a full introduction to each of the powers (chapter 2) and notes the generally favourable conclusions of those security-cleared persons who have in the past commented on their utility (chapter 3).
- The security-cleared Review team comprised technical, investigatory and legal experts. We consulted widely. Each member of the Review team authorises me to say that they are in agreement with the conclusions of this Report and with my recommendation (1.28-1.55).
- The Review applied itself in particular (chapter 4) to:
- some 60 detailed case studies provided by MI5, MI6 and GCHQ, together with associated intelligence reports,
- internal documents from each of the Agencies, in which the utility of the powers was discussed, and
- the questioning of some 85 intelligence officials, including on whether other methods could have achieved the same results.
- The Report concludes that there is a proven operational case for three of the bulk powers, and that there is a distinct (though not yet proven) operational case for bulk equipment interference (9.12-9.15).
- As the case studies show, the bulk powers are used across the range of Agency activity, from cyber-defence, counter-espionage and counter- terrorism to child sexual abuse and organised crime (Annexes 8-11).
- The bulk powers play an important part in identifying, understanding and averting threats in Great Britain, Northern Ireland and further afield. Where alternative methods exist, they are often less effective, more dangerous, more resource-intensive, more intrusive or slower (chapters 5-8).
- The Review was not asked to reach conclusions as to the proportionality or desirability of the bulk powers. As the terms of reference for the Review made clear, these are matters for Parliament (1.10-1.14).
- The Report makes a single recommendation: that a Technical Advisory Panel of independent academics and industry experts be appointed by the Investigatory Powers Commission to advise on the impact of changing technology, and on how MI5, MI6 and GCHQ could reduce the privacy footprint of their activities (9.16-9.31).
- Though it found that the bulk powers have a clear operational purpose, the Report accepts that technological changes will provoke new questions. Adoption of its Recommendation will enable such questions to be asked, and answered, on a properly informed basis (9.32).