GCHQ does not conduct mass surveillance on citizens of the UK, according to former director Sir David Omand.
Omand, who ran GCHQ from 1996 to 1997, was speaking during a Select Committee set up to scrutinise the ongoing draft Investigatory Powers Bill.
His comments were made in reference to a statement to the committee by Dr Paul Bernal who cited numerous examples of how snooping powers can be exploited by government agencies, how metadata analysis is just as invasive as content collection and how mass data retention would make service providers a target for hackers.
Omand said: "[The examples] were very good ones of why digital mass surveillance is a thoroughly bad idea. Thankfully it doesn't happen now and under the provisions of this Bill it couldn't happen."
His comments come amid a furore over domestic spying sparked by documents leaked by whistleblower Edward Snowden, which have revealed details of the mass surveillance apparatus used by GCHQ, including programmes such as Tempora and XKeyscore.
Following the committee, Bernal, a lecturer in IT, intellectual property and media law at the university of East Anglia, told V3 that Sir Omand is applying a very narrow definition of what constitutes mass surveillance.
"Essentially, he seems to think that surveillance only occurs when human beings examine data. He does not believe that the gathering of data - and the holding of that data - ‘counts' as surveillance, and neither does he believe that algorithmic analysis or filtering of that data counts as surveillance," he said.
"If you understand that gathering of data is where surveillance starts, and automated analysis of data can be one of the most intrusive elements, then you can see that this Bill, as it stands, does enable mass surveillance.
"Surveillance, to Sir David Omand, only occurs after all that has happened, and individuals within GCHQ actually examine that data. This, unfortunately, bears very little resemblance to modern surveillance, or to the intrusion that happens right now."
Mass surveillance and metadata
Ever since Snowden released a trove of secret documents in 2013 that outlined the spying capabilities of the NSA and GCHQ the term metadata has been used to soothe the fears of the public.
Yet according to Bernal, metadata, which is the identifying information around a communication but not the content, can be just as invasive.
"There's a reason why communications data can be more intrusive. One is that by its very nature it is more suitable for analysis and aggregation. You can do more processes to it than you can to content and that means it's subject to what we loosely call big data analysis," he told the committee.
"Sometimes you can get more information out of communications data than you can out of content. I don't think you should be under any illusions that somehow it's okay to have as much communications data gathered as possible but not okay to get the content.
"It can be worse because [with content] you have some control over what you write but with communications data you largely have very little control and it's a different sort of intrusion."
Furthermore, Bernal explained that the internet has now become a vital part of the lives of teenagers, meaning they are particularly vulnerable to internet snooping.
"The thing about the internet as it is now, particularly for younger people, is that they do literally everything on it," he said.
"There is no aspect of their life that doesn't have an online element so if you have a system as is proposed with internet communication records [ICRs], for example where there is some degree of gathering of their entire browsing habits, you do have knowledge about what they are doing in every aspect of their life."
The draft Investigatory Powers Bill demands that UK ISPs store call and internet data for 12 months, a requirement that could cost the UK taxpayer over £17m a year to meet. The Bill comes in the wake of numerous high-level cyber attacks against firms including TalkTalk, VTech and Ashley Madison.
According to professor Bernal, forcing service providers in the UK to store this data will make them a more tempting target for hackers.
"Data, wherever it is and in whatever form it is, is vulnerable in many different ways. [The TalkTalk] information is ideal for ID theft, credit card theft and scamming, and what we are doing if we gather these ICRs is creating a very targeted database which says 'hack me please' on the front," he warned.
The impact on public trust
Ross Anderson, professor of security engineering at the University of Cambridge, said the use of bulk surveillance in the UK has the potential to severely undermine public trust.
"Sudden revelations like the Snowden revelations are extraordinarily damaging because they show the government has been up to no good. And although the government may come up with complicated arguments about why bulk equipment interference was alright [under laws] it's not the way to do things," he said.
"The problem with the use of surveillance technology is that if the technology is used in ways that don't have public support then it undermines the relationship of trust between citizens and police, which is the basis of policing in Britain and has been for many years."
In additional to the damage to trust, the UK economy may be at risk as consumers turn to foreign companies to ensure they are safe from police or government snooping.
"If people overseas come to the conclusion that if they buy a security product from a British firm it may have a GCHQ-mandated backdoor in it they won't buy from a British firm, they will buy from a German firm instead," he said.
"If powers are abused or seen as capable of being abused there could be exceptionally serious damage to British industry."
Yet some advocates of the Bill, such as Sir Omand, maintain that most of the powers included in the draft are not new.
However, it is the collection of the so-called internet connection records that remains a contentious issue with critics.
"The Bill has been marketed as bringing only one new power namely ICRs but it does many other things as well," said Anderson.
"For example, when the Regulation of Investigatory Powers Act [RIPA] passed through this house and became an Act one of the things we lobbied for and secured was the provision that if the agencies wish to command somebody to decrypt something or hand over a cryptographic key then there are special safeguards around that.
"There are many such provisions like that that appear to be swept away with this new legislation and I am afraid that parliament must realise that the arguments are just as strong today as they were then."
According to Anderson, allowing spy agencies and police to hack into a targeted device – a practice called ‘equipment interference' – is also included in the draft snooping bill and could result in an "open season on the Internet of Things".
"[Equipment interference] is basically hacking or the installation of malware. What the NSA calls implants and what we call remote administration tools in a machine," he said.
"What's more, as we get digital stuff and more and more devices they can do the same to my granddaughter's Barbie doll, they can do the same to your car, they can do the same to your electricity meter; it's open season on the IoT.
"It goes without saying that controls around this need to be very carefully drawn."
Yet according to the former GCHQ director and senior civil servant Sir David Omand, the latest bill contains the basis for the "gold standard of Europe".
"This is how you get both security and privacy in respect to freedom of speech and the interplay of checks and balances," he said.
The Investigatory Powers Bill will continue to face scrutiny in parliament. Most recently, security experts, civil liberty groups and technology organisations pushed back against key sections of the Bill in 46 separate written submissions to the government.
Users are told that their non-existent 'iPhoneID' is expiring soon
Expansion of SDK intended to expand Amazon Alexa ecosystem
Locky returns from a prolonged rest with two new variants
AMD lambasted over Radeon RX Vega pricing that will add an extra £100 to RX Vega 56 and 64 graphics cards
Company accused of failing to tell anyone that the launch prices were only introductory offers