If GCHQ or any other agency is obtaining mobile phone data through the Dishfire programme without a RIPA notice, that is circumventing British law.
The statements made have sought to only address questions about content being accessed, not metadata. This confusion should be urgently addressed.
Under UK law, if an agency or police force want access to details of who you have texted, where you were when you sent or received a text or the dates and times of your text massages they can obtain it from your phone company. The Regulation of Investigatory Powers Act (RIPA) provides for this. Such powers relate to obtaining communications (or meta) data and not content. Acquiring content requires a warrant from a Secretary of State.
Acquiring meta data does not. It falls under a RIPA section 22 notice, which is authorised within the body requesting the data. Statements have been phrased in such a way as to appear to give assurances, without addressing the question of how metadata is accessed.
For example, Malcolm Rifkknd appearsd on Channel 4 news on Friday evening:
“Whether GCHQ access information themselves or whether they ask NSA or someone else to do it on their behalf, the law is exactly the same. They have to get authority from the Secretary of State. Your program is constantly suggesting that GCHQ might be circumventing British law…..there were similar allegations by the Guardian on what was called Prism. We examined in great detail on any occasion that GCHQ or any British intelligence agency wants to examine the content of any email or text message involving a British citizen they get authority from the Secretary of State. If they don’t do that they’re breaking the law.”
The Foreign Secretary commented on the allegations on the Today programme:
“warrants [are] required from me or the Home Secretary to intercept the content of the communications of anyone within the United Kingdom. That system is not breached. I’ve never seen anything to suggest that system is breached.”
Speaking to Channel 4 News, the former interception commissioner Sir Swinton Thomas did not share this certainty:“It is a worry, yes. And certainly in my time I would take the view that it not open to our intelligence services to obtain or certainly to use communications or data which would not have been lawful in this country.”
This is the key question. If GCHQ went to a British phone company, they need a RIPA notice. Do they need the same notice for data from Dishfire?
It is certainly not a matter of national security to confirm what the process is to access data from Dishfire. Either a RIPA notice is required to access metadata or not. Hiding behind statements about content misses the point, and we would suggest the longer this key question goes unaddressed, the more it loos like this obfuscation is deliberate.
Equally, if this system is being used regularly, it does beg the question why it is not referred to in the statistics published by the IoCC in his annual report.
We will be writing to the Interception of Communications Commissioner to raise these concerns.