The 'detailed information' claims that there are errors in the Guardian and Washington Post reports and informs us that the programme operates under section 702 of the US Foreign Intelligence Surveillance Act (FISA). The information further states that the section is designed to facilitate the acquisition of foreign intelligence information concerning non U.S. persons located outside the United States. It cannot be used to intentionally target any U.S. citizen, any other U.S. person, or anyone located within the United States.
Naturally, that enables
the acquisition of intelligence concerning the remainder of the world and questions were raised as to involvement in the programme by Britain's GCHQ and whether UK domestic law was being circumvented by the expedient of obtaining information from locations (such as internet servers) outside the UK. This prompted Foreign Secretary William Hague to assert in the House of Commons that British security services had acted within the law - Statement of 10th June.
On 17th July, Parliament's Intelligence and Security Committee (ISC) said that it was satisfied that UK security services did not break the law by accessing personal data through the US Prism programme - STATEMENT of Sir Malcolm Rifkind (the ISC's Chairman). The statement also refers to it being proper to consider further whether the current statutory framework governing access to private communications is adequate. (The phrase 'statutory framework' refers here to the Intelligence Services Act 1994, the Human Rights Act 1998 and the Regulation of Investigatory Powers Act 2000).
It might be thought that the phrase 'further consideration' suggests that some form of legislation will follow. This appears to have been already confirmed (Public Service) and the 2013 Queen's Speech contained a paragraph referring to bringing forward proposals to enable the 'protection of the public and the investigation of crime in cyberspace.' In 2012, a draft (and controversial) Communications Data Bill was being considered by Parliamentary Committee but, for political reasons within the coalition government, did not get into the legislative programme for 2012-13.
Statements such as those by Mr Hague and the ISC assert that the law is being followed but questions arise about the efficacy of existing domestic law to protect the communications of citizens whose material comes on to servers located in, for instance, the USA. The reality is that the protection is not all that strong - see the article on the Informm's blog by Matthew Ryder QC and McKay - The real concer is that governments may not be breaking any law at all.
The learned authors point to some loopholes in the legal provision. For instance, non-US citizens storing their personal data on US servers have neither the protection of UK domestic law nor the protection that US citizens have from the US government. Furthermore, once such data is in the hands of the US authorities, there is no clear legal framework to prevent it being shared with UK authorities. The article states:
'The Security Service Act 1989 and the Intelligence Services Act 1994 place MI5, MI6 and GCHQ on a statutory basis, and permit those bodies to receive any information from foreign agencies in the ‘proper discharge’ of their statutory functions. Under that broad principle, UK agencies may receive and examine data from the US about UK citizens without having to comply with any of the legal requirements they would have to meet if the same agencies had tried to gather that information themselves. The Regulation of Investigatory Powers Act 2000 (RIPA) that sets out the framework within which GCHQ and others gather information about us, does not to apply if the information has already been gathered by a foreign agency, and is simply being handed over. There is little, if any, legal regulation or oversight in that situation.'
It is not just the Prism programme which is raising concern since it was also reported that GCHQ was tapping fibre optic cables for secret access to world communications - The Guardian 21st June. On 3rd August it was reported that British Telecom and Vodafone have denied allowing GCHQ to tap cables for data - Huffington Post 3rd August. It has been reported that the USA has spent money on Bude, Cornwall:
|GCHQ Bude, Cornwall|
The papers released by Mr Snowden to The Guardian revealed the US National Security Agency (NSA) has paid £100 million to GCHQ over the last three years to access and influence British intelligence gathering.
Intelligence and Security Committee of Parliament
Intelligence Service Commissioner
The Guardian 8th June - NSA's Prism surveillance prorgam: how it works and what it can do
Infosec Institute - Prism - Facts, Doubts, Laws and Loopholes
Trust me, I'm a Foreign Secretary, says William Hague on Prism
European Commission demands answers about Prism data requests - BBC News Technology 12th June