Two EYPs and more transparency, expert advises
Former director of UK’s MI5 Jonathan Evans recommends radical overhaul of Greece’s intelligence service and better public communication
More support from the government, the possibility of separate agencies for domestic and external security and more openness to ensure the public is more aware of the work Greece’s National Intelligence Service (EYP) is doing are some of the recommendations being put forward by Jonathan Evans, a former director of Britain’s MI5 Security Service.
Kathimerini spoke with Lord Evans during his latest trip to Greece last Monday, where he met with Prime Minister Kyriakos Mitsotakis.
Evans, who is working as an unofficial adviser to the Greek government, also outlines how the surveillance of political figures is conducted in the UK.
After examining the structure and status of the Greek Intelligence Service (EYP), what would you generally underscore as the main problems that need to be addressed?
I haven’t completed the discussions that I’m having. But I think at least three areas come to mind. The first is that there appears to be quite limited support of the central government for security and intelligence matters. Senior ministers do not have the level of support that you might expect in terms of managing information flows and ensuring that there is a common understanding of the requirements and the reporting of intelligence. So I think that there is probably some work to do there. Secondly and institutionally it’s not clear to me that current arrangements that most European countries would have a security service for internal security challenges and a foreign intelligence service in some configuration. And that’s not the Greek model. I want to explore that further. And that also leads on to issues on the way which authorizations and so on are managed in operations. In the UK if there were any kind of suggestion of wiretapping for national security reasons then there would be political visibility of that as well as legal authorization but in the Greek system there isn’t. I think that potentially leaves ministers in a rather exposed position and I’m not quite clear that this is not self-evident because national security is a government issue and something on which people expect the government to have responsibility. And therefore if they’re having the responsibility, they probably ought to have greater insight. There is a question about the way authorizations are undertaken. And the third big area is the one of public trust. And for historical reasons there is not trust I think in the intelligence system across civil society. The level of public understanding looks to me to be low. The visibility of the role of the intelligence service is low. I think the UK was in that position maybe 30 years ago. And we had a consistent policy in trying to explain and engage, so that there is wide understanding of what the role is, what the rules, under which we operate etc. And I think there ought to be a program of that sort in Greece in order to try to take away some of the political controversy of intelligence. Because ultimately anybody of good will is in favor of national security. And therefore there should be greater cross-party support for that. This shouldn’t be as politicized an issue in the same way it would be for other public goods like health etc.
One of your – more visible – contributions to MI5’s operations is that of a more extrovert model of communicating with the public. For Greek standards this is seen as inconceivable. Would you suggest to the Greek government a more public friendly image for EYP? EYP is like a black box. No one knows what’s inside.
The problem with black boxes is that if you will not tell your own story, then someone else will tell it for you… It was a big departure for us in the UK to engage publicly but it has been a very good thing. It has been good in terms of public understanding, in terms of political consensus, it has been good in terms of the morale of our own staff and the feeling that their good work is being represented fairly. So I think that’s an area worth talking about. There is clearly an important point. You can’t undertake intelligence operations in broad daylight. You can’t talk about individual operations. But you can talk about the sort of service that you are or want to be. You can talk about the techniques and skills you brought there, you can talk about it in a much more forward way. Certainly in the UK when people saw heads of the Intelligence Service talking in public, they kind of realized that these were not sinister figures. They were public servants wanting to do a good job. And that was very beneficial to us. I think it would be sensible for Greece to seek a more forward position, a more open position without getting into the details of individual operations.
In the UK, is it legal to monitor the communications of politicians? And if so, do they need to be notified in advance? What is the framework?
I think there are a number of special cases. Not just members of the Parliament. Also journalists who are serving a public interest, and, for instance, medical consultations, religious leaders. There are various people where it’s in the public interest for them to be able to have private conversations without worrying that the government is going to be intruding into them. In the UK there is nobody who can’t be investigated. But it is recognized that for sensitive cases there needs to be a higher bar, that there needs to be more accountability and it’s very much an exception. In principle a member of Parliament who is involved in terrorism or serious crime could be investigated. It would be seen as exceptional. They would not be notified in advance. There would be additional controls around authorizations. And on the political side in 1966 the prime minister gave an assurance to the House of Commons that if any MP had their telephone tapped the PM would in due course come back to Parliament to tell the Parliament that this had happened. It is just called the Wilson Doctrine. As it happens no prime minister has yet ever come back. So this hasn’t happened yet, or the timing hasn’t yet become right. But it is recognized that there are sensitivities, but it is not a complete carve-out.
So, the authorities that are responsible for such sensitive cases are the PM’s office and Home Affairs?
‘In the UK there is nobody who can’t be investigated. But it is recognized that for sensitive cases there needs to be a higher bar, that there needs to be more accountability’
The model of authorization of any intercept is all laid down in law that was renewed in 2016. An authorization has to be initiated by one of the agencies. So for instance in my old service we would say from our professional perspective that we believe that this particular telephone needs to be intercepted. We would make an application to the home secretary, interior minister. If the interior minister, having taken advice from their own lawyers and officials, believes that this is proportionate and lawful and necessary for purposes of national security, then they would sign the authorization. The authorization would then go immediately to something called the Investigative Powers Tribunal, which is a judicial body. So it would go to the judge. The judge would confirm that the appropriate procedures had gone through, this was lawful. The judge then authorizes and then it goes to the telecommunications provider or whatever to access the material. So you have what we call a double lock, you have a political authorization and then you have effectively a judge who confirms that this is lawful. And then there would be continuing scrutiny of that by the Investigative Powers Tribunal, who would review it periodically, they may call up the individual case officer and ask him why this is being done and they would make sure that this continues to be necessary.
How much time does this procedure take?
As the home secretary you would be authorizing warrants every day, either for the first time or renewed. So it’s a daily process. It does not take a long time. A few days. If there is an acute emergency then there is a shortened process. So it can be done quickly. But there is still accountability. And there is a limited period during which you can use the emergency procedures.
So the telephone cannot be intercepted for an indefinite period of time, but rather a specific extent?
Yes. The statutes lay down how long the authorization can be and for how long it can be renewed. In principle you can run an authorization on tapping a telephone for a very long time, but you need to justify it every three months. During the Cold War there were certain embassies whose telephones were intercepted for quite lengthy periods.
Who selects the heads of the intelligence services and under what procedure? Are people from the private sector possible candidates?
The appointment is made by the relevant secretary of state or minister. So for MI6 it is made by the foreign secretary, for MI5 from the home secretary, with the agreement of the prime minister. The procedure is that the job is advertised within government, and any senior official diplomat, military officer, policeman can apply. There is not a public advert for the jobs. In principle there is no reason why that should not happen. But there has always been the view that in order to do the job effectively some experience in government would be required, in the same way that you would not normally appoint as chief of staff someone with no military experience. That’s the model. That’s slightly unusual in European terms, because many of the heads of services in Europe had grown out through the organization. My main career was in the service and then I became the head and the same applies to MI6. But you can have an external head. We had in MI5 a senior diplomat who was brought in because there were concerns that there was not the right person internally. But that’s not unusual in Europe. The head is usually external.
How can a certain degree of democratic accountability be applied without undermining the effectiveness of the character that secret services ought to have?
The system in which the powers of the agency are operating are based on law. And therefore have been authorized by Parliament. And that’s a democratic process on establishing the organization. Secondly, authorizations of significant intrusion have to be authorized by the relevant minister and ultimately the ministers answering for that. And therefore that is democratic control quite apart from the judicial aspect of it. Thirdly, there is a committee of Parliament who oversee the work of the agencies. They do not pre-authorize operations. Those are for government with appropriate safeguard. But they do review the policies procedures of the agencies. They take evidence. And on occasion the government has asked – when there’s been a matter of public concern, for instance a terrorist attack – then that committee has been invited to investigate and in that circumstance they have looked in considerable detail at the operation, the authorizations that were given and how the operation was run. So they get very close to the operational work in retrospective. In the British system the budgets are not pre-authorized because that’s a government process through Parliament. The way that the agencies operate are accountable to the Parliament. The individual operations are visible to ministers that are elected and accountable to Parliament.
So mostly it’s the minister that does the monitoring, about the operations per se…
Yes. There is an interest in balance in terms of power. If you look at MI5, where I used to be director, the operations of the service are the legal responsibility of the director. It was my responsibility to manage the operations of the service. The minister could not come to me and say, “I want you to tap the telephone of this politician or this individual,” because it was my responsibility to make sure that the operation was politically impartial and according to law. Equally there is a balance, because in order to undertake an operation of that sort I would need to go to the minister and get the authorization for that individual warrant. So if they thought that this was wrong they could refuse to sign. And sometimes there would be a discussion around the authorization and they would say, “I don’t see why it needs to be done.” So they could stop you doing things, but they could not make you do things. Which I think it is quite a good balance. So the director can’t get out of control, because he needs external authorization, but equally ministers can’t use the agency for political purposes, because the initiative for such things has to come from the agency itself.
What is the role and involvement of independent authorities in the overseeing of intelligence services in UK?
The critical one from the British perspective is to have independent judges who can review individual surveillance operations and make sure that they are being authorized appropriately. And there is also in the British system a tribunal of all complaints. So if any individual believes that in some way the intelligence services have been doing something wrong in respect to the individual, that can also be investigated. That’s been in place for more than 20 years. I have a high level of confidence in the independence of the British judiciary. But also you know that any surveillance that you used can be selected for review at any time, so you may have to answer for what you have done. And that’s not just on the head-of-service level but it goes down to more junior officers. So that in itself is a very powerful safeguard. Of course if you have a really determined bad actor within the agency then that’s ultimately very difficult to safeguard for. But of course there are softer things. You need to be recruiting the right people. You need to consider ethical aspects. In MI5 we had an ethics counselor. We actively encouraged our new staff to identify ethical issues. That was helpful. Effectively there was a whistleblowing channel, so if someone in the service feels that something wrong is happening they could go outside the service through the whistleblowing channel and draw attention to it.
Would you suggest to the prime minister that the service somehow be divided between external and internal?
That’s an area I want to explore more. The Greek model is unusual in not having a clear internal security service alongside a foreign service. Obviously Greece is not a huge country but at the moment I’m still not absolutely about the relevant responsibilities between domestic and international and also between counterterrorism of the Hellenic Police and of EYP. The role of an intelligence service is quite different to the role of the internal security. The sort of people, accountabilities, capabilities you need are quite different. Managing both in a single organization is an unusual model.
Part of the public discourse not only in Greece but worldwide is the use of spyware like Predator or Pegasus. How accessible is this kind of spy software by governments or private actors? What’s the accumulated experience in the last few years? How can states handle the “privatization” of intelligence and the technological revolution?
This is a real challenge. A generation ago the technologies that enabled you to do this were really in government hands. But increasingly these capabilities are also available in the private sector. In a way to perform a form of hacking. We have seen in the last few years cases which have been revealed. You can legislate against it but of course if you are an ill-intentioned individual that won’t stop you. So on occasions there are diplomatic ways, if an individual’s company is based on another country you can pressure etc. And there may also be economic pressure. But essentially it’s the same problem as hacking, there are groups out there that are highly sophisticated and can use this to get information which should not be accessed. And therefore the normal security mechanisms you need to get the access to. For instance, the mobile phone hacking kit, you need to actually get the initial breach, so you need to get the phishing attack or whatever in order to install the software on your telephone. Therefore strong cybersecurity protocols and training are important. But there will inevitably be errors. And I think anybody who is in a very sensitive public role where communications should be checked from time to time to see whether there is a problem with it. In the same way that when you go to some hostile countries you take a throwaway phone, not your smartphone. But you realize that this attack can land on you even when you are at home, not just when you’re in a hostile third country.
How easy is it for someone to access such technology? Is it expensive? Is it easy to find in the market?
I’m not an expert on that. I think it’s pretty clear that there have been certain technologies that are very easy for countries to buy and then have deniability of them. I think the cost of those capabilities will come down. You know it started with one, and now there have been others. So there will be more. And the underlying technology is quite widely available for those who want it.
