It might like a contradiction in terms, but this week has seen a fascinating session of the Investigatory Powers Tribunal (IPT).
That’s because, after one witness from GCHQ had repeatedly given misleading evidence to the tribunal, Privacy International, who are challenging GCHQ’s bulk collection powers, were given permission to cross-examine him for the very first time.
How Section 94 directions encroached on your privacy
The IPT hearing in question relates to Section 94 (S94) directions. These were powers held by GCHQ under Section 94 of the Telecommunications Act which allowed them to request bulk communications data. This included internet records and phone data.
The power had been in place since 1998 but was only publicly acknowledged in 2015, when the Investigatory Powers Bill updated and changed it. The IPT has since ruled the power illegal up until 2016 and is now trying to find out more about how they actually worked.
Much of the evidence provided by GCHQ has come from one witness. He has been granted anonymity and is therefore only referred to in the hearings as Witness X. Witness X was, until recently the deputy director for mission policy and as such was responsible for the numerous statements that GCHQ has submitted to the Tribunal.
However, these statements have included a number of errors and factual inaccuracies and Witness X has been forced to submit amendments on several occasions. After the latest, the IPT decided to grant Privacy International the right to cross-examine him, which they did in a recent 2-hour hearing during which Witness X was sat behind a screen.
Privacy International used the opportunity to try and dig down into the detail of GCHQ’s relationship with ISPs and telco’s over the use of S94 directions. Specifically, they want to understand how requests were made and how detailed they were.
How a Section 94 directive worked
An S94 directive is enacted with something known as a trigger letter, but these could only be sent out to an ISP or telco after the Secretary of State had signed off on the use of an S94 direction in that specific instance.
GCHQ has long said that it was the Secretary of State who gave the final ok to an S94 directive, but Privacy International suspects they just signed off a general ok and left it to GCHQ to decide how much information to ask for.
They have provided some evidence to back this up in the dozen or so S94’s which are publicly known to have been sent. But Witness X offered little further clarification on this matter. He did admit that GCHQ was able to narrow the focus of the data being requested, but his statement that this would be “a technical narrowing, rather than substantive” didn’t make things any clearer.
Privacy International’s lawyers also argued that GCHQ had a close relationship with ISPs and telco’s and argued that the latter were more than happy to hand over anything that GCHQ wanted, with the S94 directions only serving as a ‘cover’.
Witness X accepted that the relationship between GCHQ and the communications service providers had been close but argued that the S94 directives were the legal basis for any request. The fact that they have since been ruled illegal is apparently neither here nor there.
Privacy International also pointed out that in a number of cases, there was a gap between the Secretary of State authorising an S94 direction and the trigger letter being sent. In some cases, they had also found that trigger letters were not sent at all. Witness X acknowledged that on some occasions information would have been handed over in other ways.
The hearing failed to unearth any clear new evidence to support the case being made by Privacy International. But the fact that Witness X also failed to adequately discredit their suspicions can only lead to the assumption that there is something in them.
What the hearing means for us today
What does this latest IPT hearing mean to internet users in the UK today? Well on the face of it not much. S94 directions are no longer used by GCHQ since the Snoopers Charter now requires ISPs to retain all internet users data in any case.
But actually, it sends a powerful message to internet users about who they can trust when online. It is becoming increasingly apparent that ISPs and telcos have been, and are continuing to, work hand-in-glove with British intelligence agencies to provide them with user information.
If British internet users want to enjoy any semblance of online privacy, they cannot trust either their government or their ISP. Instead, they have to take matters into their own hands and use a tool which prevents either government snoops or ISPs from seeing what they are doing online.
That tool is, of course, a VPN. With a premium VPN such as IPVanish or ExpressVPN, users can be sure that all their data is securely encrypted and therefore safe from prying eyes. It is also all being redirected through an external server which not only hides your own IP Address to aid in online privacy but also stops your ISP seeing what you are doing online.
All they can see is that you have connected to a VPN server. Beyond that, they have no idea which sites you are visiting and what internet data you are sending.
Communications providers and government spooks have been working together to compromise your online privacy and share user data since at least 1998. They continue to do so today, under the surer legal footing of the Investigatory Powers Act, which Edward Snowden has described as the most intrusive piece of surveillance legislation in the free world.
He is right. And the only way British internet users can be sure of enjoying true online privacy is by using a VPN.