The securocrats win. They always win.
Excuse my ahem, rather colourful corruption of what it is GCHQ do, but reading such an obfuscatory report as the one produced by Blears and pals will do that to you. Just like their last major release, where they detailed precisely how the security services failed to keep the killers of Lee Rigby under further surveillance (which probably wouldn't have saved Rigby's, or another soldier's life regardless) and then put all the blame on Facebook, so too here they use a similar approach. Essentially, absolutely everything the security services do involving monitoring the internet is above board, completely kosher, totally necessary to keep us safe. The fact that we knew precisely nothing of this prior to the Edward Snowden leaks, and the ISC itself didn't think to ask is neither here nor there. At the same time, despite everything being a-OK as far as not breaking the law as it is stands, said laws need to be torn up and began again from scratch.
Confused? You shouldn't be. Basically the laws are a complete mess, and always have been rather than just rendered obsolete by technological change. As we already knew, GCHQ's bulk interception capability, known as Tempora, is legal by virtue of the foreign secretary signing a public immunity certificate every six months. However, the RIPA act of 2000 requires that for a specific UK based target to be monitored, as opposed to anyone up to and including every damn person on the internet, a warrant naming that person is required. Except, due to the vast majority of the services we use being hosted overseas, the agencies distinguish between "internal" and "external" communications. Posting on Facebook or Twitter is then an external communication, even if you're just retweeting the joke the person on the desk opposite you put up. This means that while the agencies can't search for your name without getting a warrant, they can suck up all the information they want about you if you happen to be followed by or friends with someone living outside the UK by carrying out the surveillance on them instead. In any case, as James Ball points out, this doesn't preclude their uncovering metadata on you, just the content.
And oh boy, essentially metadata is whatever the intelligence agencies want it to be, metadata not being defined in RIPA anyway. The ISC outlines that only the full url of a website (page 52 of the report) is considered to be content, so while they're not allowed to know precisely which video it was you looked at on YouPorn without a warrant, they are allowed to know you went to the site. It also means they can hoover up the location data stored by your smartphone, as that's not considered to be content either. This is one of the few areas where the ISC isn't convinced by the insistence of the agencies that such information is unintrusive, and so suggest it be regarded as "communications data plus", with added protections under any new bill.
The one new thing the ISC did find out is the agencies have for some time now been purchasing or obtaining "bulk personal datasets" (page 55 onwards), only any further information on just what these datasets are is in the usual style of ISC reports redacted. The assumption is they're databases put together by private companies, social networking firms, all the usual suspects, and most probably contain fairly mundane information that could be sourced through perfectly legitimate means. The ISC notes however the agencies obtain these both through "overt and covert channels", so in other words don't believe that ticking the box saying don't share my information with third parties is going to prevent our friends in Cheltenham from getting their hands on them via unscrupulous methods. They also set out the controls on the use of the datasets, which even by the standards seen above are flimsy, don't apply to the likes of the NSA, so if they're willing they can do the dirty work for GCHQ.
Where the report truly fails, and this again has always been typical of the ISC, is the evidence that supposedly proves bulk interception works can't possibly be shared with us plebs less it tips off our enemies (page 32). Any further details on Tempora and just how much of the internet it has mastered are similarly redacted, again without a convincing reason as to how knowing this might help anyone wishing us harm. It doesn't however stop the committee from ridiculing the likes of Liberty et al from rejecting bulk interception in principle (page 35 onwards), when they and we are not being provided with even the slightest evidence as to whether it works in the way the GCHQ insists to make a judgement on. That they of course frame this by saying privacy organisations would rather there be successful attacks than a slight infringement of civil liberties only underlines the basic hostility the ISC has so often displayed towards critics, both of themselves and the agencies. Just how useless the ISC can be at times is further shown by this non-response to allegations in the media concerning the Belhadj rendition case:
I don't know about you, but that *** has certainly reassured me.
The report in its entirety is wonderful for what it makes clear and yet cannot admit. For all the sound and fury directed at Edward Snowden and the Guardian, all the claims of endangering the public, the soundbites from the heads of MI5 and MI6 of al-Qaida rubbing their hands in glee, the ISC all but admits the leak was accurate, and the current safeguards built into the legislation are not fit for purpose. The ISC knows full well however that any replacement legislation will not simply bring the regulations up to date, but also enshrine in law Tempora and the further powers of surveillance the agencies have long demanded. This will happen without the slightest evidence being presented as to the efficacy of GCHQ's attempt to master the internet, nor anything more than internal oversight to ensure individuals within the agencies are not doing precisely what I describe in the first paragraph and far, far worse. The securocrats win. They always win.